URL:

http://www.duba.net

Full analysis: https://app.any.run/tasks/338fe9d7-2681-4539-a480-82cb266e9a39
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: July 11, 2019, 13:11:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
adware
Indicators:
MD5:

6E73D0B98F3574D03128E73EE0538E82

SHA1:

C882E2CAAEA320C93907311F32CA3F34373339FC

SHA256:

AE6194CED5A24D8F2A4AFF473B6BBCD41048AAC4A0C837550148EE17214BA0B8

SSDEEP:

3:N1KJS4xIR:Cc4+R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • duba_100_50.exe (PID: 1768)
      • kinst_150_1_20170912.exe (PID: 1316)
      • kinst_150_1_20170912.exe (PID: 2564)
      • ksoftmgr.exe (PID: 2796)
      • kxetray.exe (PID: 308)
      • kavlog2.exe (PID: 2448)
      • kxescore.exe (PID: 1840)
      • kxescore.exe (PID: 2664)
      • keyemain.exe (PID: 3832)
      • khealtheye.exe (PID: 3060)
      • keyemain.exe (PID: 1748)
      • kscan.exe (PID: 4460)
      • rcmdhelper.exe (PID: 4468)
      • rcmdhelper.exe (PID: 4704)
      • rcmdhelper.exe (PID: 5284)
      • rcmdhelper.exe (PID: 4240)
      • rcmdhelper.exe (PID: 4944)
      • rcmdhelper.exe (PID: 4888)
      • kxetray.exe (PID: 3964)
      • kslaunch.exe (PID: 4728)
      • rcmdhelper.exe (PID: 5344)
      • rcmdhelper.exe (PID: 5424)
      • rcmdhelper.exe (PID: 3888)
      • kdrvmgr.exe (PID: 4736)
      • kismain.exe (PID: 5784)
      • kismain.exe (PID: 4016)
      • kxetray.exe (PID: 5924)
      • kxetray.exe (PID: 1376)
      • kismain.exe (PID: 3264)
      • kxetray.exe (PID: 1692)
      • kismain.exe (PID: 700)
      • kxetray.exe (PID: 5944)
      • sysfixkill.exe (PID: 5000)

    • Downloads executable files from the Internet

      • firefox.exe (PID: 3500)
      • kinst_150_1_20170912.exe (PID: 1316)
      • kxetray.exe (PID: 308)

    • Connects to CnC server

      • duba_100_50.exe (PID: 1768)
      • kxescore.exe (PID: 2664)

    • Changes the autorun value in the registry

      • duba_100_50.exe (PID: 1768)

    • Loads dropped or rewritten executable

      • kxetray.exe (PID: 308)
      • kxescore.exe (PID: 2664)
      • duba_100_50.exe (PID: 1768)
      • keyemain.exe (PID: 3832)
      • kxescore.exe (PID: 1840)
      • keyemain.exe (PID: 1748)
      • kscan.exe (PID: 4460)
      • firefox.exe (PID: 3500)
      • dwm.exe (PID: 1988)
      • kavlog2.exe (PID: 2448)
      • rcmdhelper.exe (PID: 4468)
      • ksoftmgr.exe (PID: 2796)
      • rcmdhelper.exe (PID: 4240)
      • rcmdhelper.exe (PID: 5284)
      • rcmdhelper.exe (PID: 4944)
      • rcmdhelper.exe (PID: 4888)
      • kxetray.exe (PID: 3964)
      • rcmdhelper.exe (PID: 4704)
      • DllHost.exe (PID: 4320)
      • rcmdhelper.exe (PID: 5344)
      • explorer.exe (PID: 124)
      • rcmdhelper.exe (PID: 5424)
      • rcmdhelper.exe (PID: 3888)
      • conhost.exe (PID: 4368)
      • kdrvmgr.exe (PID: 4736)
      • kismain.exe (PID: 5784)
      • kismain.exe (PID: 4016)
      • kxetray.exe (PID: 1692)
      • kxetray.exe (PID: 5924)
      • kismain.exe (PID: 700)
      • svchost.exe (PID: 848)
      • kismain.exe (PID: 3264)
      • kxetray.exe (PID: 1376)
      • kxetray.exe (PID: 5944)
      • sysfixkill.exe (PID: 5000)

    • Loads the Task Scheduler DLL interface

      • kxescore.exe (PID: 2664)
      • kxetray.exe (PID: 308)

    • Loads the Task Scheduler COM API

      • kxescore.exe (PID: 2664)
      • kscan.exe (PID: 4460)
      • kxetray.exe (PID: 308)

    • Changes settings of System certificates

      • kxescore.exe (PID: 2664)

    • Actions looks like stealing of personal data

      • kxetray.exe (PID: 308)

  • SUSPICIOUS

    • Low-level read access rights to disk partition

      • kinst_150_1_20170912.exe (PID: 1316)
      • duba_100_50.exe (PID: 1768)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 3500)
      • duba_100_50.exe (PID: 1768)
      • khealtheye.exe (PID: 3060)
      • kxescore.exe (PID: 2664)
      • kxetray.exe (PID: 308)
      • kdrvmgr.exe (PID: 4736)
      • sysfixkill.exe (PID: 5000)

    • Creates files in the Windows directory

      • duba_100_50.exe (PID: 1768)
      • kavlog2.exe (PID: 2448)
      • kxescore.exe (PID: 2664)
      • kscan.exe (PID: 4460)
      • svchost.exe (PID: 848)

    • Creates files in the driver directory

      • duba_100_50.exe (PID: 1768)
      • kxescore.exe (PID: 2664)
      • kscan.exe (PID: 4460)

    • Removes files from Windows directory

      • duba_100_50.exe (PID: 1768)
      • kxescore.exe (PID: 2664)
      • kscan.exe (PID: 4460)
      • kxetray.exe (PID: 308)

    • Creates COM task schedule object

      • duba_100_50.exe (PID: 1768)
      • kxescore.exe (PID: 2664)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • duba_100_50.exe (PID: 1768)
      • kxescore.exe (PID: 2664)
      • kxetray.exe (PID: 308)

    • Creates a software uninstall entry

      • duba_100_50.exe (PID: 1768)

    • Creates files in the user directory

      • kxetray.exe (PID: 308)

    • Creates files in the program directory

      • kxescore.exe (PID: 1840)
      • duba_100_50.exe (PID: 1768)
      • kxetray.exe (PID: 308)
      • khealtheye.exe (PID: 3060)
      • kxescore.exe (PID: 2664)
      • rcmdhelper.exe (PID: 5284)
      • kscan.exe (PID: 4460)
      • kxetray.exe (PID: 3964)
      • SearchIndexer.exe (PID: 1260)
      • sysfixkill.exe (PID: 5000)

    • Executed as Windows Service

      • kxescore.exe (PID: 2664)
      • SearchIndexer.exe (PID: 1260)

    • Reads internet explorer settings

      • ksoftmgr.exe (PID: 2796)

    • Creates or modifies windows services

      • kxescore.exe (PID: 2664)
      • kxetray.exe (PID: 308)
      • sysfixkill.exe (PID: 5000)

    • Searches for installed software

      • kxetray.exe (PID: 308)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 124)
      • ksoftmgr.exe (PID: 2796)
      • kxetray.exe (PID: 308)

    • Connects to server without host name

      • kxetray.exe (PID: 308)
      • kxescore.exe (PID: 2664)
      • kscan.exe (PID: 4460)

    • Adds / modifies Windows certificates

      • kxescore.exe (PID: 2664)

    • Loads DLL from Mozilla Firefox

      • kscan.exe (PID: 4460)

  • INFO

    • Reads CPU info

      • firefox.exe (PID: 3500)

    • Reads Internet Cache Settings

      • firefox.exe (PID: 3500)

    • Manual execution by user

      • kinst_150_1_20170912.exe (PID: 2564)
      • kinst_150_1_20170912.exe (PID: 1316)

    • Application launched itself

      • firefox.exe (PID: 3500)

    • Reads settings of System Certificates

      • firefox.exe (PID: 3500)
      • kxetray.exe (PID: 308)
      • kscan.exe (PID: 4460)

    • Dropped object may contain Bitcoin addresses

      • duba_100_50.exe (PID: 1768)
      • khealtheye.exe (PID: 3060)
      • firefox.exe (PID: 3500)
      • kxetray.exe (PID: 308)

    • Creates files in the user directory

      • firefox.exe (PID: 3500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
88
Monitored processes
48
Malicious processes
24
Suspicious processes
10

Behavior graph

Click at the process to see the details
start download and start drop and start drop and start drop and start drop and start drop and start firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe kinst_150_1_20170912.exe no specs kinst_150_1_20170912.exe duba_100_50.exe kxetray.exe kavlog2.exe ksoftmgr.exe kxescore.exe no specs kxescore.exe firefox.exe khealtheye.exe keyemain.exe no specs keyemain.exe no specs kscan.exe rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs kxetray.exe no specs dwm.exe no specs kslaunch.exe no specs Thumbnail Cache Out of Proc Server no specs rcmdhelper.exe no specs rcmdhelper.exe no specs rcmdhelper.exe no specs explorer.exe kdrvmgr.exe conhost.exe no specs searchindexer.exe no specs searchprotocolhost.exe no specs searchfilterhost.exe no specs searchprotocolhost.exe no specs svchost.exe kismain.exe no specs kismain.exe no specs kxetray.exe no specs kismain.exe no specs kxetray.exe kismain.exe no specs kxetray.exe kxetray.exe sysfixkill.exe

Process information

PID
CMD
Path
Indicators
Parent process
124C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
308"c:\program files\kingsoft\kingsoft antivirus\kxetray.exe" /autorun /kislive /devmgr /installc:\program files\kingsoft\kingsoft antivirus\kxetray.exe
duba_100_50.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
金山毒霸
Exit code:
0
Version:
2019,07,05,22317
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\kxetray.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
700"kismain.exe" /lite_acc -src:3c:\program files\kingsoft\kingsoft antivirus\kismain.exekxetray.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
MEDIUM
Description:
Kingsoft KIS Main
Exit code:
3221225547
Version:
2017,11,21,19781
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\kismain.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
848C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\windanr.exe
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1260C:\Windows\system32\SearchIndexer.exe /EmbeddingC:\Windows\system32\SearchIndexer.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Indexer
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchindexer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1316"C:\Users\admin\Downloads\kinst_150_1_20170912.exe" C:\Users\admin\Downloads\kinst_150_1_20170912.exe
explorer.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Install Tool
Exit code:
0
Version:
2017,08,29,18953
Modules
Images
c:\users\admin\downloads\kinst_150_1_20170912.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1376"C:\program files\kingsoft\kingsoft antivirus\kxetray.exe" /kismain /lite_acc -src:3C:\program files\kingsoft\kingsoft antivirus\kxetray.exe
kismain.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
金山毒霸
Exit code:
1
Version:
2019,07,05,22317
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\kxetray.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1388"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3500.27.1354409603\1180607644" -childID 4 -isForBrowser -prefsHandle 2732 -prefMapHandle 3024 -prefsLen 8354 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3500 "\\.\pipe\gecko-crash-server-pipe.3500" 3732 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
67.0.4
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
1692"C:\program files\kingsoft\kingsoft antivirus\kxetray.exe" /kismain /lite_acc -src:3C:\program files\kingsoft\kingsoft antivirus\kxetray.exe
kismain.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
金山毒霸
Exit code:
1
Version:
2019,07,05,22317
Modules
Images
c:\program files\kingsoft\kingsoft antivirus\kxetray.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1748"C:\Program Files\khealtheye\keyemain.exe" /backgroud /updateindex:3C:\Program Files\khealtheye\keyemain.exekxescore.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
护眼大师
Exit code:
0
Version:
2019,01,25,76
Modules
Images
c:\program files\khealtheye\keyemain.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
8 792
Read events
7 466
Write events
1 202
Delete events
124

Modification events

(PID) Process:(3500) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
0000000000000000
(PID) Process:(3500) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3500) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(124) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:308046O0NS4N39PO
Value:
000000000100000003000000742E0000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFFF03E474BA9E1D40100000000
(PID) Process:(124) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
000000000F0000000E00000075FC0300040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901040000000400000029E900004D006900630072006F0073006F00660074002E004100750074006F00470065006E006500720061007400650064002E007B00310035003900360032003100370035002D0037004400460043002D0042003100440037002D0042003000440031002D004500420034004300300038004600460044003700350034007D0000000000000000000100000064666C7464666C7400000000400000000459CA76C306012500000000000000000100000000000000000000000000000000000000E803000000000000FFFFFFFF000000000000000008B7540254E7D90105000000FFFFFFFFAC54CA76000000003853F6023052F602D0E7D9013DA9727500000000FBFFFF7FF4E7D901987880574F8C6244BB6371042380B1090000000001100211FFFFFFFF00000000000000000000000005DF440321DF440305DF4403000000000000000000000000080000002E006C006E006B0000005300630068006500640075006C00650072002E006C006E006B000000530000005300000000000000000007000A008F030000A487D8760800000064025300E72FF9769487D8763F030000CC045300000053000200D4001D7E010011000000B8455600B045560030C4F402FCE800004F88652EACE8D90182917275FCE8D901B0E8D9012795727500000000A486F602D8E8D901CD947275A486F60284E9D9011882F602E1947275000000001882F60284E9D901E0E8D901
(PID) Process:(3500) firefox.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\70\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3500) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3500) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(124) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(124) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
0100000002000000000000000700000006000000030000000500000004000000FFFFFFFF
Executable files
255
Suspicious files
697
Text files
665
Unknown types
374

Dropped files

PID
Process
Filename
Type
3500firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
3500firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
3500firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat.tmp
MD5:
SHA256:
3500firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
3500firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
3500firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
3500firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
MD5:
SHA256:
3500firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp
MD5:
SHA256:
3500firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:
SHA256:
3500firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
338
TCP/UDP connections
397
DNS requests
318
Threats
163

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3500
firefox.exe
GET
200
202.173.15.148:80
http://kxlogo.knet.cn/seallogo.dll?sn=e12042311010018602307708&size=0
CN
unknown
3500
firefox.exe
GET
200
218.24.18.58:80
http://www.duba.net/
CN
html
3.81 Kb
malicious
3500
firefox.exe
GET
200
218.24.18.58:80
http://www.duba.net/js/jss/jquery.js
CN
text
70.3 Kb
malicious
3500
firefox.exe
GET
200
218.24.18.58:80
http://www.duba.net/js/jss/dialog.min.js
CN
text
3.52 Kb
malicious
3500
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3500
firefox.exe
GET
200
218.24.18.58:80
http://www.duba.net/css/indexS.css?v=20190531
CN
text
4.63 Kb
malicious
3500
firefox.exe
GET
200
218.24.18.58:80
http://www.duba.net/images/20161227/all.png
CN
image
11.3 Kb
malicious
3500
firefox.exe
GET
200
36.99.227.229:80
http://dh1.cmcmcdn.com/duba/d/e/7/5/7/de7571d8c371adb22aae157310b6a637.png
CN
image
18.8 Kb
malicious
3500
firefox.exe
GET
200
103.235.46.191:80
http://hm.baidu.com/hm.js?7b344617dc861558bc02241018ca7977
HK
text
11.5 Kb
whitelisted
3500
firefox.exe
GET
200
36.99.227.229:80
http://dh1.cmcmcdn.com/duba/5/a/1/3/0/5a13045f60ead4b4b955d756d3b0e922.png
CN
image
182 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3500
firefox.exe
36.99.227.230:80
dh1.cmcmcdn.com
No.31,Jin-rong Street
CN
suspicious
3500
firefox.exe
172.217.18.3:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3500
firefox.exe
2.16.106.209:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
3500
firefox.exe
218.24.18.58:80
www.duba.net
CHINA UNICOM China169 Backbone
CN
suspicious
3500
firefox.exe
34.251.59.153:443
location.services.mozilla.com
Amazon.com, Inc.
IE
unknown
3500
firefox.exe
52.26.103.165:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
3500
firefox.exe
54.189.245.11:443
push.services.mozilla.com
Amazon.com, Inc.
US
malicious
3500
firefox.exe
143.204.205.62:443
snippets.cdn.mozilla.net
US
unknown
3500
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3500
firefox.exe
60.174.241.133:80
cd002.www.duba.net
No.31,Jin-rong Street
CN
malicious

DNS requests

Domain
IP
Reputation
www.duba.net
  • 218.24.18.58
  • 218.24.18.55
  • 218.24.18.52
  • 218.24.18.62
  • 218.24.18.59
  • 218.24.18.56
  • 218.24.18.57
  • 218.24.18.63
  • 218.24.18.54
malicious
detectportal.firefox.com
  • 2.16.106.209
  • 2.16.106.152
whitelisted
a1089.dscd.akamai.net
  • 2.16.106.152
  • 2.16.106.209
whitelisted
zliebao.v.qingcdn.com
  • 218.24.18.54
  • 218.24.18.63
  • 218.24.18.57
  • 218.24.18.56
  • 218.24.18.59
  • 218.24.18.62
  • 218.24.18.52
  • 218.24.18.55
  • 218.24.18.58
suspicious
location.services.mozilla.com
  • 34.251.59.153
  • 34.243.21.190
  • 52.18.148.152
whitelisted
locprod1-elb-eu-west-1.prod.mozaws.net
  • 52.18.148.152
  • 34.243.21.190
  • 34.251.59.153
whitelisted
push.services.mozilla.com
  • 54.189.245.11
whitelisted
autopush.prod.mozaws.net
  • 54.189.245.11
whitelisted
tiles.services.mozilla.com
  • 52.26.103.165
  • 34.210.151.118
  • 52.26.166.58
  • 34.213.89.114
  • 52.25.71.236
  • 35.166.166.56
  • 52.27.87.181
  • 34.209.86.85
  • 52.34.132.219
  • 34.208.138.0
whitelisted
snippets.cdn.mozilla.net
  • 143.204.205.62
whitelisted

Threats

PID
Process
Class
Message
3500
firefox.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1316
kinst_150_1_20170912.exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1316
kinst_150_1_20170912.exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1316
kinst_150_1_20170912.exe
Misc activity
ADWARE [PTsecurity] PUP.Win32/KingSoft.E
1316
kinst_150_1_20170912.exe
Misc activity
ADWARE [PTsecurity] PUP.Win32/KingSoft.E
1316
kinst_150_1_20170912.exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1316
kinst_150_1_20170912.exe
Misc activity
ADWARE [PTsecurity] PUP.Win32/KingSoft.E
1316
kinst_150_1_20170912.exe
Misc activity
ADWARE [PTsecurity] PUP.Win32/KingSoft.E
1316
kinst_150_1_20170912.exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1316
kinst_150_1_20170912.exe
A Network Trojan was detected
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1 ETPRO signatures available at the full report
Process
Message
duba_100_50.exe
14:13:34|~02888| [KAVMENU] reg_duba_32bit
kavlog2.exe
_tWinMain End.
kxescore.exe
c:\program files\kingsoft\kingsoft antivirus\ksapi.dll
kxescore.exe
c:\program files\kingsoft\kingsoft antivirus\ksapi.dll
kxetray.exe
c:\program files\kingsoft\kingsoft antivirus\ksapi.dll
kxetray.exe
c:\program files\kingsoft\kingsoft antivirus\ksapi.dll
kxescore.exe
<ERROR>Inst
kxescore.exe
<FATAL>load Install Interface c:\program files\kingsoft\kingsoft antivirus\security\ksde\knetctrl.dll Fatal = 1
kxescore.exe
<FATAL>Install KNetFlt Driver = 1
kxescore.exe
<FATAL>load Install Interface c:\program files\kingsoft\kingsoft antivirus\security\ksde\kmctrl.dll Fatal = 1
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.duba.net