analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.duba.net

Full analysis: https://app.any.run/tasks/338fe9d7-2681-4539-a480-82cb266e9a39
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: July 11, 2019, 13:11:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
adware
Indicators:
MD5:

6E73D0B98F3574D03128E73EE0538E82

SHA1:

C882E2CAAEA320C93907311F32CA3F34373339FC

SHA256:

AE6194CED5A24D8F2A4AFF473B6BBCD41048AAC4A0C837550148EE17214BA0B8

SSDEEP:

3:N1KJS4xIR:Cc4+R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • kinst_150_1_20170912.exe (PID: 1316)
      • kinst_150_1_20170912.exe (PID: 2564)
      • duba_100_50.exe (PID: 1768)
      • ksoftmgr.exe (PID: 2796)
      • kxescore.exe (PID: 1840)
      • kxescore.exe (PID: 2664)
      • kxetray.exe (PID: 308)
      • kavlog2.exe (PID: 2448)
      • khealtheye.exe (PID: 3060)
      • keyemain.exe (PID: 3832)
      • keyemain.exe (PID: 1748)
      • kscan.exe (PID: 4460)
      • rcmdhelper.exe (PID: 5284)
      • rcmdhelper.exe (PID: 4944)
      • rcmdhelper.exe (PID: 4704)
      • rcmdhelper.exe (PID: 4888)
      • rcmdhelper.exe (PID: 4468)
      • kxetray.exe (PID: 3964)
      • rcmdhelper.exe (PID: 4240)
      • kslaunch.exe (PID: 4728)
      • rcmdhelper.exe (PID: 5344)
      • rcmdhelper.exe (PID: 5424)
      • rcmdhelper.exe (PID: 3888)
      • kdrvmgr.exe (PID: 4736)
      • kismain.exe (PID: 5784)
      • kxetray.exe (PID: 5924)
      • kismain.exe (PID: 4016)
      • kismain.exe (PID: 3264)
      • kismain.exe (PID: 700)
      • kxetray.exe (PID: 1692)
      • kxetray.exe (PID: 5944)
      • kxetray.exe (PID: 1376)
      • sysfixkill.exe (PID: 5000)

    • Downloads executable files from the Internet

      • firefox.exe (PID: 3500)
      • kinst_150_1_20170912.exe (PID: 1316)
      • kxetray.exe (PID: 308)

    • Loads dropped or rewritten executable

      • kxetray.exe (PID: 308)
      • duba_100_50.exe (PID: 1768)
      • kxescore.exe (PID: 2664)
      • kxescore.exe (PID: 1840)
      • keyemain.exe (PID: 3832)
      • keyemain.exe (PID: 1748)
      • kscan.exe (PID: 4460)
      • firefox.exe (PID: 3500)
      • dwm.exe (PID: 1988)
      • kavlog2.exe (PID: 2448)
      • ksoftmgr.exe (PID: 2796)
      • rcmdhelper.exe (PID: 4944)
      • rcmdhelper.exe (PID: 4240)
      • rcmdhelper.exe (PID: 4704)
      • kxetray.exe (PID: 3964)
      • rcmdhelper.exe (PID: 4468)
      • DllHost.exe (PID: 4320)
      • rcmdhelper.exe (PID: 5284)
      • rcmdhelper.exe (PID: 4888)
      • rcmdhelper.exe (PID: 5344)
      • rcmdhelper.exe (PID: 3888)
      • rcmdhelper.exe (PID: 5424)
      • explorer.exe (PID: 124)
      • conhost.exe (PID: 4368)
      • kdrvmgr.exe (PID: 4736)
      • svchost.exe (PID: 848)
      • kxetray.exe (PID: 5924)
      • kismain.exe (PID: 4016)
      • kismain.exe (PID: 5784)
      • kismain.exe (PID: 3264)
      • kxetray.exe (PID: 1692)
      • kismain.exe (PID: 700)
      • sysfixkill.exe (PID: 5000)
      • kxetray.exe (PID: 5944)
      • kxetray.exe (PID: 1376)

    • Connects to CnC server

      • duba_100_50.exe (PID: 1768)
      • kxescore.exe (PID: 2664)

    • Changes the autorun value in the registry

      • duba_100_50.exe (PID: 1768)

    • Loads the Task Scheduler DLL interface

      • kxescore.exe (PID: 2664)
      • kxetray.exe (PID: 308)

    • Changes settings of System certificates

      • kxescore.exe (PID: 2664)

    • Loads the Task Scheduler COM API

      • kxetray.exe (PID: 308)
      • kscan.exe (PID: 4460)
      • kxescore.exe (PID: 2664)

    • Actions looks like stealing of personal data

      • kxetray.exe (PID: 308)

  • SUSPICIOUS

    • Low-level read access rights to disk partition

      • kinst_150_1_20170912.exe (PID: 1316)
      • duba_100_50.exe (PID: 1768)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 3500)
      • khealtheye.exe (PID: 3060)
      • kxescore.exe (PID: 2664)
      • kxetray.exe (PID: 308)
      • duba_100_50.exe (PID: 1768)
      • kdrvmgr.exe (PID: 4736)
      • sysfixkill.exe (PID: 5000)

    • Creates files in the Windows directory

      • kavlog2.exe (PID: 2448)
      • duba_100_50.exe (PID: 1768)
      • kxescore.exe (PID: 2664)
      • kscan.exe (PID: 4460)
      • svchost.exe (PID: 848)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • duba_100_50.exe (PID: 1768)
      • kxescore.exe (PID: 2664)
      • kxetray.exe (PID: 308)

    • Removes files from Windows directory

      • duba_100_50.exe (PID: 1768)
      • kxescore.exe (PID: 2664)
      • kscan.exe (PID: 4460)
      • kxetray.exe (PID: 308)

    • Creates a software uninstall entry

      • duba_100_50.exe (PID: 1768)

    • Creates files in the driver directory

      • duba_100_50.exe (PID: 1768)
      • kxescore.exe (PID: 2664)
      • kscan.exe (PID: 4460)

    • Creates COM task schedule object

      • duba_100_50.exe (PID: 1768)
      • kxescore.exe (PID: 2664)

    • Creates files in the program directory

      • kxescore.exe (PID: 1840)
      • duba_100_50.exe (PID: 1768)
      • khealtheye.exe (PID: 3060)
      • kxetray.exe (PID: 308)
      • rcmdhelper.exe (PID: 5284)
      • kxescore.exe (PID: 2664)
      • kscan.exe (PID: 4460)
      • kxetray.exe (PID: 3964)
      • SearchIndexer.exe (PID: 1260)
      • sysfixkill.exe (PID: 5000)

    • Reads internet explorer settings

      • ksoftmgr.exe (PID: 2796)

    • Executed as Windows Service

      • kxescore.exe (PID: 2664)
      • SearchIndexer.exe (PID: 1260)

    • Creates files in the user directory

      • kxetray.exe (PID: 308)

    • Creates or modifies windows services

      • kxescore.exe (PID: 2664)
      • kxetray.exe (PID: 308)
      • sysfixkill.exe (PID: 5000)

    • Searches for installed software

      • kxetray.exe (PID: 308)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 124)
      • ksoftmgr.exe (PID: 2796)
      • kxetray.exe (PID: 308)

    • Connects to server without host name

      • kxetray.exe (PID: 308)
      • kxescore.exe (PID: 2664)
      • kscan.exe (PID: 4460)

    • Adds / modifies Windows certificates

      • kxescore.exe (PID: 2664)

    • Loads DLL from Mozilla Firefox

      • kscan.exe (PID: 4460)

  • INFO

    • Manual execution by user

      • kinst_150_1_20170912.exe (PID: 2564)
      • kinst_150_1_20170912.exe (PID: 1316)

    • Reads CPU info

      • firefox.exe (PID: 3500)

    • Reads Internet Cache Settings

      • firefox.exe (PID: 3500)

    • Application launched itself

      • firefox.exe (PID: 3500)

    • Reads settings of System Certificates

      • firefox.exe (PID: 3500)
      • kscan.exe (PID: 4460)
      • kxetray.exe (PID: 308)

    • Dropped object may contain Bitcoin addresses

      • duba_100_50.exe (PID: 1768)
      • khealtheye.exe (PID: 3060)
      • firefox.exe (PID: 3500)
      • kxetray.exe (PID: 308)

    • Creates files in the user directory

      • firefox.exe (PID: 3500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
88
Monitored processes
48
Malicious processes
24
Suspicious processes
10

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe kinst_150_1_20170912.exe no specs kinst_150_1_20170912.exe duba_100_50.exe kxetray.exe kavlog2.exe ksoftmgr.exe kxescore.exe no specs kxescore.exe firefox.exe khealtheye.exe keyemain.exe no specs keyemain.exe no specs kscan.exe rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs kxetray.exe no specs dwm.exe no specs kslaunch.exe no specs Thumbnail Cache Out of Proc Server no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs explorer.exe kdrvmgr.exe conhost.exe no specs searchindexer.exe no specs searchprotocolhost.exe no specs searchfilterhost.exe no specs searchprotocolhost.exe no specs svchost.exe kismain.exe no specs kismain.exe no specs kxetray.exe no specs kismain.exe no specs kxetray.exe kismain.exe no specs kxetray.exe kxetray.exe sysfixkill.exe

Process information

PID
CMD
Path
Indicators
Parent process
3500"C:\Program Files\Mozilla Firefox\firefox.exe" http://www.duba.netC:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
67.0.4
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2828"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3500.0.1780051164\727074752" -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3500 "\\.\pipe\gecko-crash-server-pipe.3500" 1168 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
67.0.4
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2348"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3500.3.229431990\1352599677" -childID 1 -isForBrowser -prefsHandle 1696 -prefMapHandle 1644 -prefsLen 1 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3500 "\\.\pipe\gecko-crash-server-pipe.3500" 1744 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2532"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3500.13.932386161\1500555204" -childID 2 -isForBrowser -prefsHandle 2788 -prefMapHandle 2792 -prefsLen 5842 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3500 "\\.\pipe\gecko-crash-server-pipe.3500" 2820 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
3268"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3500.20.946313061\331668112" -childID 3 -isForBrowser -prefsHandle 3624 -prefMapHandle 3632 -prefsLen 6604 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3500 "\\.\pipe\gecko-crash-server-pipe.3500" 3644 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2564"C:\Users\admin\Downloads\kinst_150_1_20170912.exe" C:\Users\admin\Downloads\kinst_150_1_20170912.exeexplorer.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
MEDIUM
Description:
Kingsoft Install Tool
Exit code:
3221226540
Version:
2017,08,29,18953
Modules
Images
c:\users\admin\downloads\kinst_150_1_20170912.exe
c:\systemroot\system32\ntdll.dll
1316"C:\Users\admin\Downloads\kinst_150_1_20170912.exe" C:\Users\admin\Downloads\kinst_150_1_20170912.exe
explorer.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Install Tool
Exit code:
0
Version:
2017,08,29,18953
Modules
Images
c:\users\admin\downloads\kinst_150_1_20170912.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1768"C:\Users\admin\AppData\Local\Temp\duba_100_50.exe" /rcmdfromkinst /rcmdSceneId=2 /rcmdSoftId=0 /rcmdcheck=1 /rcmdreason="NoRcmdItem" /rcmdCid=0 /rcmdTid=0 /rcmdCanRcmd=0 /autoinstall ##silence=0&installpath="C:\Program Files\kingsoft\kingsoft antivirus\"&hwnd=201e2&tid1=100 tid2=50 tod1=100 tod2=51C:\Users\admin\AppData\Local\Temp\duba_100_50.exe
kinst_150_1_20170912.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
安装程序
Exit code:
1
Version:
2019,06,20,22255
Modules
Images
c:\users\admin\appdata\local\temp\duba_100_50.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
308"c:\program files\kingsoft\kingsoft antivirus\kxetray.exe" /autorun /kislive /devmgr /installc:\program files\kingsoft\kingsoft antivirus\kxetray.exe
duba_100_50.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
金山毒霸
Version:
2019,07,05,22317
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\kxetray.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
2448"c:\program files\kingsoft\kingsoft antivirus\kavlog2.exe" -installc:\program files\kingsoft\kingsoft antivirus\kavlog2.exe
duba_100_50.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
KXEngine KeventLog3
Exit code:
0
Version:
2018,06,14,20609
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\kavlog2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
Total events
8 792
Read events
7 466
Write events
1 202
Delete events
124

Modification events

(PID) Process:(3500) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
0000000000000000
(PID) Process:(3500) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3500) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(124) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:308046O0NS4N39PO
Value:
000000000100000003000000742E0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFFF03E474BA9E1D40100000000
(PID) Process:(124) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
000000000F0000000E00000075FC0300040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
(PID) Process:(3500) firefox.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3500) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3500) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(124) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(124) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
0100000002000000000000000700000006000000030000000500000004000000FFFFFFFF
Executable files
255
Suspicious files
697
Text files
665
Unknown types
374

Dropped files

PID
Process
Filename
Type
3500firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
3500firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
3500firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat.tmp
MD5:
SHA256:
3500firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
3500firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
3500firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
3500firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
MD5:
SHA256:
3500firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp
MD5:
SHA256:
848svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:89B163A5751B417E52EE9ABE1034EDD2
SHA256:00D1E1123575F8BBE9ECDE0146CF42470A8AE00FE7A60AAC09A44E71092A16EB
3500firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:D65B2BD591A1D6CC666241E6EEF1AFE7
SHA256:1B94F69A3BF3CB9F7349FE274CA82166C22D675F9B043B19F2770D044AE9BD16
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
338
TCP/UDP connections
397
DNS requests
318
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3500
firefox.exe
GET
200
202.173.15.148:80
http://kxlogo.knet.cn/seallogo.dll?sn=e12042311010018602307708&size=0
CN
unknown
3500
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3500
firefox.exe
GET
200
36.99.227.229:80
http://dh1.cmcmcdn.com/duba/5/a/1/3/0/5a13045f60ead4b4b955d756d3b0e922.png
CN
image
182 Kb
malicious
3500
firefox.exe
GET
200
103.235.46.191:80
http://hm.baidu.com/hm.js?7b344617dc861558bc02241018ca7977
HK
text
11.5 Kb
whitelisted
3500
firefox.exe
GET
200
218.24.18.58:80
http://www.duba.net/css/indexS.css?v=20190531
CN
text
4.63 Kb
malicious
3500
firefox.exe
GET
200
218.24.18.58:80
http://www.duba.net/
CN
html
3.81 Kb
malicious
3500
firefox.exe
GET
200
218.24.18.58:80
http://www.duba.net/js/jss/jquery-1.11.2.min.js
CN
text
93.6 Kb
malicious
3500
firefox.exe
POST
200
172.217.18.3:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
3500
firefox.exe
GET
200
218.24.18.58:80
http://www.duba.net/js/jss/jquery.js
CN
text
70.3 Kb
malicious
3500
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3500
firefox.exe
34.251.59.153:443
location.services.mozilla.com
Amazon.com, Inc.
IE
unknown
3500
firefox.exe
36.99.227.230:80
dh1.cmcmcdn.com
No.31,Jin-rong Street
CN
suspicious
3500
firefox.exe
143.204.205.62:443
snippets.cdn.mozilla.net
US
unknown
3500
firefox.exe
52.26.103.165:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
3500
firefox.exe
2.16.106.209:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
3500
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3500
firefox.exe
202.173.15.148:80
kxlogo.knet.cn
KNET Techonlogy (BeiJing) Co.,Ltd.
CN
unknown
3500
firefox.exe
218.24.18.58:80
www.duba.net
CHINA UNICOM China169 Backbone
CN
suspicious
3500
firefox.exe
52.11.30.237:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
3500
firefox.exe
54.189.245.11:443
push.services.mozilla.com
Amazon.com, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
www.duba.net
  • 218.24.18.58
  • 218.24.18.55
  • 218.24.18.52
  • 218.24.18.62
  • 218.24.18.59
  • 218.24.18.56
  • 218.24.18.57
  • 218.24.18.63
  • 218.24.18.54
malicious
detectportal.firefox.com
  • 2.16.106.209
  • 2.16.106.152
whitelisted
a1089.dscd.akamai.net
  • 2.16.106.152
  • 2.16.106.209
whitelisted
zliebao.v.qingcdn.com
  • 218.24.18.54
  • 218.24.18.63
  • 218.24.18.57
  • 218.24.18.56
  • 218.24.18.59
  • 218.24.18.62
  • 218.24.18.52
  • 218.24.18.55
  • 218.24.18.58
suspicious
location.services.mozilla.com
  • 34.251.59.153
  • 34.243.21.190
  • 52.18.148.152
whitelisted
locprod1-elb-eu-west-1.prod.mozaws.net
  • 52.18.148.152
  • 34.243.21.190
  • 34.251.59.153
whitelisted
push.services.mozilla.com
  • 54.189.245.11
whitelisted
autopush.prod.mozaws.net
  • 54.189.245.11
whitelisted
tiles.services.mozilla.com
  • 52.26.103.165
  • 34.210.151.118
  • 52.26.166.58
  • 34.213.89.114
  • 52.25.71.236
  • 35.166.166.56
  • 52.27.87.181
  • 34.209.86.85
  • 52.34.132.219
  • 34.208.138.0
whitelisted
snippets.cdn.mozilla.net
  • 143.204.205.62
whitelisted

Threats

PID
Process
Class
Message
3500
firefox.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1316
kinst_150_1_20170912.exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1316
kinst_150_1_20170912.exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1316
kinst_150_1_20170912.exe
Misc activity
ADWARE [PTsecurity] PUP.Win32/KingSoft.E
1316
kinst_150_1_20170912.exe
Misc activity
ADWARE [PTsecurity] PUP.Win32/KingSoft.E
1316
kinst_150_1_20170912.exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1316
kinst_150_1_20170912.exe
Misc activity
ADWARE [PTsecurity] PUP.Win32/KingSoft.E
1316
kinst_150_1_20170912.exe
Misc activity
ADWARE [PTsecurity] PUP.Win32/KingSoft.E
1316
kinst_150_1_20170912.exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1316
kinst_150_1_20170912.exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1 ETPRO signatures available at the full report
Process
Message
duba_100_50.exe
14:13:34|~02888| [KAVMENU] reg_duba_32bit
kavlog2.exe
_tWinMain End.
kxescore.exe
c:\program files\kingsoft\kingsoft antivirus\ksapi.dll
kxescore.exe
c:\program files\kingsoft\kingsoft antivirus\ksapi.dll
kxetray.exe
c:\program files\kingsoft\kingsoft antivirus\ksapi.dll
kxetray.exe
c:\program files\kingsoft\kingsoft antivirus\ksapi.dll
kxescore.exe
<ERROR>Inst
kxescore.exe
<FATAL>load Install Interface c:\program files\kingsoft\kingsoft antivirus\security\ksde\knetctrl.dll Fatal = 1
kxescore.exe
<FATAL>Install KNetFlt Driver = 1
kxescore.exe
<FATAL>load Install Interface c:\program files\kingsoft\kingsoft antivirus\security\ksde\kmctrl.dll Fatal = 1
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.duba.net