File name:

ucanet-browser.exe

Full analysis: https://app.any.run/tasks/12d3db9f-1c76-4a5e-8b7d-e191f4351fec
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: October 24, 2023, 20:35:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

236B50254D6F09BC7F59EF35AEE00834

SHA1:

50605883E424EB15D20D55152BC30A4340357A80

SHA256:

C5483D3C5CB6A5A1E5261B989AF9EF0C38E68C2623605493A2D8BEE83CC18CA4

SSDEEP:

3072:X9RrB8qVVj0cBLaaac55uauo5VVVu4VoYPnnnl3qwR9T1wljPnnnl3qwR9T1wlqa:HRkRszE8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • ucanet-browser.exe (PID: 1824)

    • Drops the executable file immediately after the start

      • ucanet-browser.exe (PID: 1824)
      • 3.0_Beta_SafariSetup30Beta[1].exe (PID: 396)
      • msiexec.exe (PID: 3700)

    • Application was dropped or rewritten from another process

      • 3.0_Beta_SafariSetup30Beta[1].exe (PID: 396)
      • 3.0_Beta_SafariSetup30Beta[1].exe (PID: 2564)
      • SafariSetupAdmin.exe (PID: 1024)
      • SoftwareUpdate.exe (PID: 2956)
      • mDNSResponder.exe (PID: 3116)

    • Creates a writable file the system directory

      • 3.0_Beta_SafariSetup30Beta[1].exe (PID: 396)
      • svchost.exe (PID: 864)
      • msiexec.exe (PID: 3700)

    • Loads dropped or rewritten executable

      • msiexec.exe (PID: 2952)
      • msiexec.exe (PID: 3248)
      • msiexec.exe (PID: 3868)
      • msiexec.exe (PID: 3988)
      • msiexec.exe (PID: 2500)
      • svchost.exe (PID: 864)
      • Skype.exe (PID: 2592)

  • SUSPICIOUS

    • Reads the Internet Settings

      • ucanet-browser.exe (PID: 1824)
      • Skype.exe (PID: 3900)
      • 3.0_Beta_SafariSetup30Beta[1].exe (PID: 396)
      • msiexec.exe (PID: 2776)

    • Reads Microsoft Outlook installation path

      • ucanet-browser.exe (PID: 1824)

    • Reads security settings of Internet Explorer

      • ucanet-browser.exe (PID: 1824)

    • Reads settings of System Certificates

      • ucanet-browser.exe (PID: 1824)
      • Skype.exe (PID: 3900)

    • Checks Windows Trust Settings

      • ucanet-browser.exe (PID: 1824)
      • msiexec.exe (PID: 3700)

    • Process requests binary or script from the Internet

      • ucanet-browser.exe (PID: 1824)

    • Drops 7-zip archiver for unpacking

      • ucanet-browser.exe (PID: 1824)

    • Application launched itself

      • Skype.exe (PID: 3900)

    • Uses REG/REGEDIT.EXE to modify registry

      • Skype.exe (PID: 3900)

    • Adds/modifies Windows certificates

      • explorer.exe (PID: 1400)
      • 3.0_Beta_SafariSetup30Beta[1].exe (PID: 396)

    • Reads Internet Explorer settings

      • ucanet-browser.exe (PID: 1824)

    • The process drops C-runtime libraries

      • 3.0_Beta_SafariSetup30Beta[1].exe (PID: 396)
      • msiexec.exe (PID: 3700)

    • Process drops legitimate windows executable

      • 3.0_Beta_SafariSetup30Beta[1].exe (PID: 396)
      • msiexec.exe (PID: 3700)

    • Detected use of alternative data streams (AltDS)

      • Skype.exe (PID: 3900)

    • Reads the Windows owner or organization settings

      • msiexec.exe (PID: 3700)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3096)
      • mDNSResponder.exe (PID: 3116)

  • INFO

    • Checks supported languages

      • ucanet-browser.exe (PID: 1824)
      • wmpnscfg.exe (PID: 1044)
      • Skype.exe (PID: 3900)
      • Skype.exe (PID: 2744)
      • Skype.exe (PID: 2592)
      • Skype.exe (PID: 3396)
      • Skype.exe (PID: 760)
      • Skype.exe (PID: 3696)
      • Skype.exe (PID: 2800)
      • 3.0_Beta_SafariSetup30Beta[1].exe (PID: 396)
      • msiexec.exe (PID: 2776)
      • msiexec.exe (PID: 3700)
      • msiexec.exe (PID: 2952)
      • SafariSetupAdmin.exe (PID: 1024)
      • msiexec.exe (PID: 2844)
      • SoftwareUpdate.exe (PID: 2956)
      • msiexec.exe (PID: 3988)
      • msiexec.exe (PID: 3968)
      • mDNSResponder.exe (PID: 3116)

    • Reads the computer name

      • ucanet-browser.exe (PID: 1824)
      • wmpnscfg.exe (PID: 1044)
      • Skype.exe (PID: 3900)
      • Skype.exe (PID: 760)
      • Skype.exe (PID: 3396)
      • Skype.exe (PID: 2592)
      • Skype.exe (PID: 2800)
      • 3.0_Beta_SafariSetup30Beta[1].exe (PID: 396)
      • msiexec.exe (PID: 3700)
      • SafariSetupAdmin.exe (PID: 1024)
      • msiexec.exe (PID: 2952)
      • msiexec.exe (PID: 2776)
      • msiexec.exe (PID: 2844)
      • SoftwareUpdate.exe (PID: 2956)
      • msiexec.exe (PID: 3988)
      • mDNSResponder.exe (PID: 3116)
      • msiexec.exe (PID: 3968)

    • Reads the machine GUID from the registry

      • ucanet-browser.exe (PID: 1824)
      • wmpnscfg.exe (PID: 1044)
      • Skype.exe (PID: 3900)
      • msiexec.exe (PID: 3700)
      • msiexec.exe (PID: 2776)
      • SafariSetupAdmin.exe (PID: 1024)
      • msiexec.exe (PID: 2952)
      • msiexec.exe (PID: 2844)
      • SoftwareUpdate.exe (PID: 2956)
      • msiexec.exe (PID: 3988)
      • msiexec.exe (PID: 3968)
      • mDNSResponder.exe (PID: 3116)

    • Checks proxy server information

      • ucanet-browser.exe (PID: 1824)

    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 1400)

    • Reads the Internet Settings

      • explorer.exe (PID: 1400)

    • Manual execution by a user

      • WINWORD.EXE (PID: 3204)
      • wmpnscfg.exe (PID: 1044)
      • Skype.exe (PID: 3900)

    • Reads Environment values

      • ucanet-browser.exe (PID: 1824)
      • Skype.exe (PID: 3900)
      • Skype.exe (PID: 3396)

    • Creates files or folders in the user directory

      • ucanet-browser.exe (PID: 1824)
      • Skype.exe (PID: 3900)
      • Skype.exe (PID: 3396)
      • Skype.exe (PID: 2592)

    • Create files in a temporary directory

      • ucanet-browser.exe (PID: 1824)
      • Skype.exe (PID: 3900)
      • 3.0_Beta_SafariSetup30Beta[1].exe (PID: 396)
      • SafariSetupAdmin.exe (PID: 1024)
      • msiexec.exe (PID: 3700)

    • Reads product name

      • Skype.exe (PID: 3900)
      • Skype.exe (PID: 3396)

    • Reads CPU info

      • Skype.exe (PID: 3900)
      • SoftwareUpdate.exe (PID: 2956)

    • Process checks computer location settings

      • Skype.exe (PID: 3900)
      • Skype.exe (PID: 3396)
      • Skype.exe (PID: 3696)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 1280)

    • Application launched itself

      • msiexec.exe (PID: 3700)
      • chrome.exe (PID: 1928)

    • The process uses the downloaded file

      • ucanet-browser.exe (PID: 1824)

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 1280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (49)
.exe | Win32 Executable MS Visual C++ (generic) (20.9)
.exe | Win64 Executable (generic) (18.5)
.dll | Win32 Dynamic Link Library (generic) (4.4)
.exe | Win32 Executable (generic) (3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2023:09:11 06:28:10+02:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 270336
InitializedDataSize: 8192
UninitializedDataSize: -
EntryPoint: 0x43d9e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: ucanet browser is a free browser for exploring the web within the ucanet ecosystem.
CompanyName: ucanet
FileDescription: ucanet-browser
FileVersion: 1.0.0.0
InternalName: ucanet-browser.exe
LegalCopyright: Copyright © ucanet 2023
OriginalFileName: ucanet-browser.exe
ProductName: ucanet browser
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
104
Monitored processes
50
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
download and start download and start start drop and start ucanet-browser.exe winword.exe no specs wmpnscfg.exe no specs skype.exe skype.exe skype.exe no specs skype.exe reg.exe no specs skype.exe no specs reg.exe no specs skype.exe no specs skype.exe no specs 3.0_beta_safarisetup30beta[1].exe no specs 3.0_beta_safarisetup30beta[1].exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs safarisetupadmin.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs softwareupdate.exe no specs msiexec.exe no specs vssvc.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs mdnsresponder.exe svchost.exe no specs explorer.exe no specs chrome.exe no specs consent.exe no specs chrome.exe chrome.exe no specs safari.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
296"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4632 --field-trial-handle=1304,i,16771547763275244310,5282741781658964475,131072 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
396"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\3.0_Beta_SafariSetup30Beta[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\3.0_Beta_SafariSetup30Beta[1].exe
ucanet-browser.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\po2hn1x2\3.0_beta_safarisetup30beta[1].exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
760"C:\Program Files\Microsoft\Skype for Desktop\Skype.exe" --type=gpu-process --user-data-dir="C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1424 --field-trial-handle=1320,i,15584635077984606421,15706503891313207675,131072 --enable-features=WinUseBrowserSpellChecker,WinUseHybridSpellChecker,WinrtGeolocationImplementation --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2C:\Program Files\Microsoft\Skype for Desktop\Skype.exeSkype.exe
User:
admin
Company:
Skype Technologies S.A.
Integrity Level:
LOW
Description:
Skype
Exit code:
0
Version:
8.100.0.203
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft\skype for desktop\skype.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\program files\microsoft\skype for desktop\ffmpeg.dll
c:\windows\system32\uiautomationcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
864C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1024"C:\Users\admin\AppData\Local\Temp\7zSCB3E.tmp\SafariSetupAdmin.exe" /evt EDBA /pid 2776 /mon 544 556 /alt "C:\Users\admin\AppData\Local\Temp\7zSCB3E.tmp\AppleSoftwareUpdate.msi" REBOOT=ReallySuppress SCHEDULE="1"C:\Users\admin\AppData\Local\Temp\7zSCB3E.tmp\SafariSetupAdmin.exemsiexec.exe
User:
admin
Company:
Apple Inc.
Integrity Level:
HIGH
Description:
Safari Installer (Elevated)
Exit code:
0
Version:
3.522.11.3
Modules
Images
c:\users\admin\appdata\local\temp\7zscb3e.tmp\safarisetupadmin.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
1044"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1280"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\7zSCB3E.tmp\Safari.msi" C:\Windows\System32\msiexec.exe3.0_Beta_SafariSetup30Beta[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1280"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1544 --field-trial-handle=1304,i,16771547763275244310,5282741781658964475,131072 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Chrome
Exit code:
0
Version:
109.0.5414.120
1400C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1824"C:\Users\admin\AppData\Local\Temp\ucanet-browser.exe" C:\Users\admin\AppData\Local\Temp\ucanet-browser.exe
explorer.exe
User:
admin
Company:
ucanet
Integrity Level:
MEDIUM
Description:
ucanet-browser
Exit code:
3221225547
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\ucanet-browser.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
44 344
Read events
43 828
Write events
336
Delete events
180

Modification events

(PID) Process:(1824) ucanet-browser.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1824) ucanet-browser.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1824) ucanet-browser.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1824) ucanet-browser.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1400) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:writeName:CheckSetting
Value:
01000000D08C9DDF0115D1118C7A00C04FC297EB01000000F6D6788197A75D498472ACE88906AC8D0000000002000000000010660000000100002000000048832D3FD0459F35F292D4F0571B992C6EB9F500D4ED7BC3B99927FC5331D217000000000E80000000020000200000003EFBFF3AEC091353AF9E58D48DF2D06E9D1BDED94E4937159293C20E513DDF0F3000000087034FE3522EDDAC6E83C331CAE7E3CB92B187260C4DAD8D1C31F9039AB30BE9E56E6C6EE2A54DD7C0FCB3257D6FF55F4000000040B806FFF8B32ABD66EABA7F35A86503B0F300E1B9A976FC4B3F6328F133A31ACB461ADFC86BE84974CB3AD9119C225504F24589D1CDC1655DA54BABE9CEF265
(PID) Process:(1400) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:{7P5N40RS-N0SO-4OSP-874N-P0S2R0O9SN8R}\Zvpebfbsg Bssvpr\Bssvpr14\JVAJBEQ.RKR
Value:
00000000060000000600000048200000000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BF000080BFFFFFFFFF900C0897A3FAD80100000000
(PID) Process:(1400) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
Operation:writeName:HRZR_PGYFRFFVBA
Value:
00000000A6010000F80200004E576D013F0000004A0000008E0F0D004D006900630072006F0073006F00660074002E0049006E007400650072006E00650074004500780070006C006F007200650072002E00440065006600610075006C007400000028003E004000A4E75102B8E651020000000000000000000000000000080274E45102000008026CE25102000000000000D26CFFFFFFFF705911750000000000000000A4E251027C900D75000400000000000008E35102FFFFFFFF38EA7000FFFFFFFF080A7400D80E740030EA7000D4E25102F7AF3D7680D0707614F05102081D3E76E4613E766820700008E351020000000071000000BBF2CB00E8E25102A1693E766820700008E351020000000014E551023F613E766820700008E3510200000400000000800400000026E4510298E351025DA5147726E45102D26E147779A51477D6794D7526E4510210E65102000100006400610072E3510226E451026F0061006D0069006E0067005C006D006900630072006F0073006F0066007400CCE351023400000080E35102DE70310033003300350033003800310030003000F8E551025A000000A0E351021DA71477D6610E02D4E351025A00000010E651025C00000011000000104F7000084F7000F8E55102C4E3510220E40000D7F3CB00D0E351025E903E7620E45102D4E3510203943E760000000064561802FCE35102A9933E7664561802A8E45102D8511802BD933E7600000000D8511802A8E4510204E4510202000000840000003D3567004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E0043006F006E00740072006F006C00500061006E0065006C00000059004C61EF75A022590063003A005C00770069006E0064006F00770073005C00730079007300740065006D00330032005C0069006D006100670065007200650073002E0064006C006C000000570069006E0064006F00770073005C00730079007300740065006D00330032005C0069006D006100670065007200650073002E0064006C006C00000032020000000007000000E4E332021400000000000000000056007896210845D397750C12000000000000FA279C777896210814E432025F389C7764389C772279967578962108FA279C770000000000000000FFFFFFFF0000000000000000A21000004CE432023B600D77087C7C000000000047600D773F09C3B300000000A21000000000000024E432026C006C0050E4320200000000E8E43202A2100000081C09086CE43202B0FE5F74081C0908E8E43202A2100000000000000000004098E4320237C30D77C4000300A210000000000000F0E93202A2100000CDABBADC11000000485159004051590010E53202C4E4320270FE5F7414E500008809C3B3C4E432025E90EF7514E53202C8E432020394EF750000000044454402F0E43202A993EF75444544029CE53202B8404402BD93EF7500000000B84044029CE53202F8E4320202000000840000003D3567004D006900630072006F0073006F00660074002E00570069006E0064006F00770073002E0043006F006E00740072006F006C00500061006E0065006C00000059004C61EF75A022590063003A005C00770069006E0064006F00770073005C00730079007300740065006D00330032005C0069006D006100670065007200650073002E0064006C006C000000570069006E0064006F00770073005C00730079007300740065006D00330032005C0069006D006100670065007200650073002E0064006C006C00000032020000000007000000E4E332021400000000000000000056007896210845D397750C12000000000000FA279C777896210814E432025F389C7764389C772279967578962108FA279C770000000000000000FFFFFFFF0000000000000000A21000004CE432023B600D77087C7C000000000047600D773F09C3B300000000A21000000000000024E432026C006C0050E4320200000000E8E43202A2100000081C09086CE43202B0FE5F74081C0908E8E43202A2100000000000000000004098E4320237C30D77C4000300A210000000000000F0E93202A2100000CDABBADC11000000485159004051590010E53202C4E4320270FE5F7414E500008809C3B3C4E432025E90EF7514E53202C8E432020394EF750000000044454402F0E43202A993EF75444544029CE53202B8404402BD93EF7500000000B84044029CE53202F8E43202
(PID) Process:(1400) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Operation:writeName:MRUListEx
Value:
020000001E0000001D0000001C0000001B0000001A000000000000001900000003000000180000001600000017000000150000001400000013000000120000000F00000011000000100000000E0000000D0000000C0000000B0000000A00000009000000080000000700000006000000050000000400000001000000FFFFFFFF
(PID) Process:(3204) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1033
Value:
On
(PID) Process:(3204) WINWORD.EXEKey:HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:writeName:1041
Value:
On
Executable files
114
Suspicious files
291
Text files
278
Unknown types
0

Dropped files

PID
Process
Filename
Type
3204WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR20EE.tmp.cvr
MD5:
SHA256:
1400explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\researchpublishing.rtf (2).lnkbinary
MD5:01F6D9876C26896D6DDC1F94C1172BB6
SHA256:1DEABCD522AA5C553001C934940E8DB874E4F722763FEB47B3D2ACBC89E3DFD3
3204WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmbinary
MD5:CE277E491039A07C033AB9DD4E6326D8
SHA256:32CA0909A31CE5243C345E734546942A5720A71DA9B86843F5ADA30C0FBE6447
3204WINWORD.EXEC:\Users\admin\Desktop\~$searchpublishing.rtfbinary
MD5:104C6290267D27523810D5410D8F6BE3
SHA256:548682A367B6DA822A2B8DF88409A1F9FF833E5CC3A09610E22AD73294CE4BF9
3204WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dattext
MD5:3845235DED5750DB9562F0E1D82C5800
SHA256:C006BC3C49BEDD99F0907F204EB12CD09AC8F81ACAF6EC511FB78612279399A9
1400explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msbinary
MD5:F9CE35869E73B32092DC24B77EED365F
SHA256:D3C3221ECD485A47943BD24C1787644E7E48E70919FC6B4148F055CB1B4C008C
3204WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\researchpublishing.rtf.LNKbinary
MD5:29F0DECF8CCDC24D825264F995A95C6C
SHA256:5A1B61901E35DF88917BD4E484D6E0E5796F7C110FA240EFBCD70235B99AA988
3204WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D59AAD17-50EE-40D2-90C9-29690B628DE3}.tmpbinary
MD5:5D4D94EE7E06BBB0AF9584119797B23A
SHA256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
1824ucanet-browser.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\E1B71ULO.htmhtml
MD5:A602B7563DF8C89302FC0A58DA0059CB
SHA256:CD62B47207C56E7DAFE80A3521E61A8172CF00D9757002898B379508DC55F220
1824ucanet-browser.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\ico-tux[1].gifimage
MD5:56FADF351803A0CA51647460E843A213
SHA256:CBBDA6EDADC7958D370E0352A636AC9F7E9F9EE8CBB90C4B2E11C7FBC8CB9191
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
160
TCP/UDP connections
122
DNS requests
89
Threats
23

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1824
ucanet-browser.exe
GET
200
104.21.45.221:80
http://ucanet.net/ico-win.gif
unknown
image
3.61 Kb
unknown
1824
ucanet-browser.exe
GET
301
104.21.45.221:80
http://settings.ucanet.net/config/dns
unknown
html
694 b
unknown
1824
ucanet-browser.exe
GET
200
104.21.45.221:80
http://settings.ucanet.net/config/dns/
unknown
text
13 b
unknown
1824
ucanet-browser.exe
GET
200
104.21.45.221:80
http://ucanet.net/dot.gif
unknown
image
514 b
unknown
1824
ucanet-browser.exe
GET
200
104.21.45.221:80
http://ucanet.net/
unknown
html
2.44 Kb
unknown
1824
ucanet-browser.exe
GET
200
104.21.45.221:80
http://ucanet.net/topbar.gif
unknown
image
8.98 Kb
unknown
1824
ucanet-browser.exe
GET
200
104.21.45.221:80
http://ucanet.net/discord.gif
unknown
image
1.54 Kb
unknown
1824
ucanet-browser.exe
GET
200
104.21.45.221:80
http://ucanet.net/favicon.gif
unknown
image
1.78 Kb
unknown
1824
ucanet-browser.exe
GET
200
104.21.45.221:80
http://ucanet.net/ico-tux.gif
unknown
image
3.37 Kb
unknown
1824
ucanet-browser.exe
GET
200
104.21.45.221:80
http://ucanet.net/ico-osx-uni.gif
unknown
image
4.05 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1824
ucanet-browser.exe
104.21.45.221:80
settings.ucanet.net
CLOUDFLARENET
unknown
4
System
192.168.100.255:138
whitelisted
1824
ucanet-browser.exe
96.45.82.27:80
oldversion.cn
TIGGEE
US
unknown
1824
ucanet-browser.exe
3.215.56.8:80
www.oldversion.cn
AMAZON-AES
US
unknown
1824
ucanet-browser.exe
142.251.140.42:80
ajax.googleapis.com
GOOGLE
US
unknown
1824
ucanet-browser.exe
52.216.113.83:80
assets.oldversion.s3.amazonaws.com
AMAZON-02
US
unknown
1824
ucanet-browser.exe
172.217.17.142:443
apis.google.com
GOOGLE
US
whitelisted
1824
ucanet-browser.exe
142.251.140.8:443
www.googletagmanager.com
GOOGLE
US
unknown
1824
ucanet-browser.exe
157.240.9.35:80
www.facebook.com
FACEBOOK
BG
unknown

DNS requests

Domain
IP
Reputation
ucanet.mil
unknown
settings.ucanet.net
  • 104.21.45.221
  • 172.67.219.131
unknown
ucanet.net
  • 104.21.45.221
  • 172.67.219.131
unknown
www.ucanet.net
  • 104.21.45.221
  • 172.67.219.131
unknown
oldversion.cn
  • 96.45.82.27
  • 96.45.82.183
  • 96.45.83.117
  • 96.45.83.234
unknown
www.oldversion.cn
  • 3.215.56.8
unknown
ajax.googleapis.com
  • 142.251.140.42
whitelisted
assets.oldversion.s3.amazonaws.com
  • 52.216.113.83
  • 52.217.198.233
  • 54.231.160.161
  • 3.5.29.59
  • 52.217.94.44
  • 3.5.11.184
  • 3.5.1.160
  • 52.217.231.193
shared
apis.google.com
  • 172.217.17.142
  • 172.217.20.78
whitelisted
www.googletagmanager.com
  • 142.251.140.8
whitelisted

Threats

PID
Process
Class
Message
1824
ucanet-browser.exe
Potential Corporate Privacy Violation
ET POLICY HTTP POST contains pass= in cleartext
1824
ucanet-browser.exe
Potential Corporate Privacy Violation
ET POLICY HTTP POST contains pass= in cleartext
1824
ucanet-browser.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1824
ucanet-browser.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1824
ucanet-browser.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] Received IP address from server as result of HTTP request
1824
ucanet-browser.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1824
ucanet-browser.exe
Misc activity
ET INFO EXE - Served Attached HTTP
Unknown Traffic
ET HUNTING Suspicious Empty User-Agent
Unknown Traffic
ET HUNTING Suspicious Empty User-Agent
Unknown Traffic
ET HUNTING Suspicious Empty User-Agent
Process
Message
Skype.exe
[1024/213801.101:ERROR:filesystem_win.cc(130)] GetFileAttributes C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Crashpad\attachments\3a0ee62b-79ac-4cc3-bbd5-f65252e7a91f: The system cannot find the file specified. (0x2)
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ucanet-browser.exe