File name:

b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe

Full analysis: https://app.any.run/tasks/b039579c-df16-4c0a-8147-5854fb7fb9ce
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 03, 2024, 14:58:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

48BC0B9203E4C5E02697426BE45AE63A

SHA1:

EDCD5E480F60C23A27D6C38B5CE5C597B38391A5

SHA256:

B0CBF6B1C6E64268FC8B5D3394D67C74338D9D985B928D1F0E2C6BEFF732F981

SSDEEP:

3072:dzAnbi7C115MiervxyStbP59P3Knzd0GDZRJ5MsbBFCaNcupEhSolExWU1Ylcq9X:Gb5yhSolEsU1YlcpDPL7XGzNazGHAEAu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe (PID: 5580)

    • Reads Microsoft Outlook installation path

      • rundll32.exe (PID: 5512)
      • rundll32.exe (PID: 2620)

    • Executable content was dropped or overwritten

      • b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe (PID: 5580)

    • Application launched itself

      • rundll32.exe (PID: 5512)

    • Connects to unusual port

      • b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe (PID: 5580)

    • Potential Corporate Privacy Violation

      • b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe (PID: 5580)

  • INFO

    • Checks supported languages

      • b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe (PID: 5580)

    • Create files in a temporary directory

      • b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe (PID: 5580)

    • Creates files or folders in the user directory

      • b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe (PID: 5580)
      • rundll32.exe (PID: 2620)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 5512)
      • rundll32.exe (PID: 2620)

    • Checks proxy server information

      • rundll32.exe (PID: 5512)
      • b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe (PID: 5580)
      • rundll32.exe (PID: 2620)

    • Reads the computer name

      • b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe (PID: 5580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Microsoft Visual Basic 6 (84.4)
.dll | Win32 Dynamic Link Library (generic) (6.7)
.exe | Win32 Executable (generic) (4.6)
.exe | Generic Win/DOS Executable (2)
.exe | DOS Executable Generic (2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:03:15 10:09:34+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 98304
InitializedDataSize: 32768
UninitializedDataSize: -
EntryPoint: 0x1ed4
OSVersion: 4
ImageVersion: 1.3
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.3.0.3
ProductVersionNumber: 1.3.0.3
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: 开启默认升级,修正文件名错误,添加OL升级窗口,窗口保持,修复缓存延迟
CompanyName: 义乌新网维
ProductName: sgtools
FileVersion: 1.03.0003
ProductVersion: 1.03.0003
InternalName: sg
OriginalFileName: sg.exe
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe rundll32.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2620C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:8 WinX:0 WinY:0 IEFrame:00000000C:\Windows\SysWOW64\rundll32.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
5512RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 8C:\Windows\SysWOW64\rundll32.exeb0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
5580"C:\Users\admin\Desktop\b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe" C:\Users\admin\Desktop\b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe
explorer.exe
User:
admin
Company:
义乌新网维
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.03.0003
Modules
Images
c:\users\admin\desktop\b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
1 376
Read events
1 360
Write events
16
Delete events
0

Modification events

(PID) Process:(5580) b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5580) b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5580) b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5512) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5512) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5512) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5512) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch
Operation:writeName:Version
Value:
WS not running
(PID) Process:(2620) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2620) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content
Operation:writeName:CacheVersion
Value:
1
(PID) Process:(2620) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Internet Settings\Cache\Content
Operation:writeName:CacheLimit
Value:
51200
Executable files
1
Suspicious files
2
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
5580b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\sg[1].txttext
MD5:861D527B8D01E8FE1552E0CC56E05073
SHA256:CC62463628D767AF138CBACA59820C248B2DBADAE73B33A09647E378FF4BD4A8
2620rundll32.exeC:\Users\admin\AppData\Local\Packages\windows_ie_ac_001\AC\INetCache\MSIMGSIZ.DATbinary
MD5:0392ADA071EB68355BED625D8F9695F3
SHA256:B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
5580b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\fn.txttext
MD5:8BA07E2C1992D4437CE2A34BF87B392C
SHA256:50B6B88F38BADEFF5F1171212B09ABF7847DEDB0609AC25EE27BDC6EE423F6C3
5580b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\fp.txttext
MD5:2D2C01F9D1CD3A1403382F1BBF0DE908
SHA256:BD4AAD1756B35D84673AD5247E93CEA58309D8A6A3A16B788CF4E6BC7FAC1792
5580b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\sgupdate[1].exeexecutable
MD5:C12499081529C74A6C6D8FFBB72D4E32
SHA256:A70E2039E7E80861D25FECFDF949C984A1AAE1FD357F52DB448FEDB19F28E4F5
5580b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exeC:\Users\admin\AppData\Local\Temp\~DF432D9D8EA33BB69C.TMPbinary
MD5:D5F351B80B7243D747F3993DCB7B624B
SHA256:4C52D2A427FFABC596F7068198A1E76E7F88D9660AB8BCDF7CE78AFC54F20082
5580b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\sg.txttext
MD5:861D527B8D01E8FE1552E0CC56E05073
SHA256:CC62463628D767AF138CBACA59820C248B2DBADAE73B33A09647E378FF4BD4A8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
23
DNS requests
10
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6944
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5580
b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe
GET
200
60.191.236.246:820
http://safe.ywxww.net:820/sgupdate.exe
unknown
unknown
5580
b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe
GET
200
60.191.236.246:820
http://safe.ywxww.net:820/sg.txt
unknown
unknown
5488
MoUsoCoreWorker.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7048
RUXIMICS.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6944
svchost.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7048
RUXIMICS.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5488
MoUsoCoreWorker.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
7048
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5488
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6944
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.204.138:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5580
b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe
60.191.236.246:820
safe.ywxww.net
Chinanet
CN
unknown
6944
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5488
MoUsoCoreWorker.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
7048
RUXIMICS.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
  • 20.73.194.208
whitelisted
www.bing.com
  • 2.16.204.138
  • 2.16.204.147
  • 2.16.204.142
  • 2.16.204.135
  • 2.16.204.139
  • 2.16.204.143
  • 2.16.204.145
  • 2.16.204.137
  • 2.16.204.134
whitelisted
google.com
  • 142.250.184.206
whitelisted
safe.ywxww.net
  • 60.191.236.246
unknown
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted
self.events.data.microsoft.com
  • 13.69.116.107
whitelisted

Threats

PID
Process
Class
Message
5580
b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
b0cbf6b1c6e64268fc8b5d3394d67c74338d9d985b928d1f0e2c6beff732f981.exe