Malware analysis https://dl.360safe.com/software_installer_download/美图秀秀_1039_5f08c.exe Malicious activity

Add for printing

URL:	https://dl.360safe.com/software_installer_download/美图秀秀_1039_5f08c.exe
Full analysis:	https://app.any.run/tasks/145cd3b0-6e84-4383-98e6-716486041626
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 06, 2025, 05:22:19
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader xor-url generic stealer
Indicators:
MD5:	C073B96DFF67982106524BDB0CC56988
SHA1:	7147BC57B94C54FA63DFC1124B62D2A9A9F70404
SHA256:	CDCBA73D353357958DF3013EF08AE1C0A3F370B5BA5A4818E71899F217FFC425
SSDEEP:	3:N8RwVoLwKdMXJOXxSCCbrA2Ym6UN6n:2muMZOXx2RYNUN6n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- XORed URL has been found (YARA)
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
  - 美图秀秀_1039_5f08c.exe (PID: 2132)
- Actions looks like stealing of personal data
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
  - 美图秀秀_1039_5f08c.exe (PID: 2132)
  - 美图秀秀_1039_5f08c.exe (PID: 4952)
- Executable content was dropped or overwritten
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
  - 美图秀秀_1039_5f08c.exe (PID: 2132)
  - 美图秀秀_1039_5f08c.exe (PID: 4952)
- There is functionality for taking screenshot (YARA)
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
  - 美图秀秀_1039_5f08c.exe (PID: 2132)
  - 美图秀秀_1039_5f08c.exe (PID: 4952)
- Process requests binary or script from the Internet
  - explorer.exe (PID: 4488)
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
- Potential Corporate Privacy Violation
  - explorer.exe (PID: 4488)
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
- The process verifies whether the antivirus software is installed
  - 美图秀秀_1039_5f08c.exe (PID: 2132)
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
  - 美图秀秀_1039_5f08c.exe (PID: 4952)
- Drops 7-zip archiver for unpacking
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
- Write to the desktop.ini file (may be used to cloak folders)
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
INFO
- Reads security settings of Internet Explorer
  - explorer.exe (PID: 4488)
  - Taskmgr.exe (PID: 7164)
- Executable content was dropped or overwritten
  - chrome.exe (PID: 6160)
  - chrome.exe (PID: 2484)
  - msedge.exe (PID: 3188)
- Manual execution by a user
  - msedge.exe (PID: 6096)
  - 美图秀秀_1039_5f08c.exe (PID: 2200)
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
  - 美图秀秀_1039_5f08c.exe (PID: 2132)
  - 美图秀秀_1039_5f08c.exe (PID: 6152)
- Checks supported languages
  - identity_helper.exe (PID: 1400)
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
  - 美图秀秀_1039_5f08c.exe (PID: 2132)
  - 美图秀秀_1039_5f08c.exe (PID: 4952)
  - zoolseNkOqCvL9.exe (PID: 6892)
- Reads the computer name
  - identity_helper.exe (PID: 1400)
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
  - 美图秀秀_1039_5f08c.exe (PID: 2132)
  - 美图秀秀_1039_5f08c.exe (PID: 4952)
  - zoolseNkOqCvL9.exe (PID: 6892)
- Reads Environment values
  - identity_helper.exe (PID: 1400)
- Application launched itself
  - msedge.exe (PID: 6096)
  - chrome.exe (PID: 6160)
  - msedge.exe (PID: 7464)
- Checks proxy server information
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
  - 美图秀秀_1039_5f08c.exe (PID: 2132)
  - explorer.exe (PID: 4488)
  - 美图秀秀_1039_5f08c.exe (PID: 4952)
- Creates files or folders in the user directory
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
  - 美图秀秀_1039_5f08c.exe (PID: 4952)
  - 美图秀秀_1039_5f08c.exe (PID: 2132)
- Process checks computer location settings
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
  - 美图秀秀_1039_5f08c.exe (PID: 2132)
  - 美图秀秀_1039_5f08c.exe (PID: 4952)
- Create files in a temporary directory
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
  - 美图秀秀_1039_5f08c.exe (PID: 2132)
  - explorer.exe (PID: 4488)
  - 美图秀秀_1039_5f08c.exe (PID: 4952)
- The sample compiled with chinese language support
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
  - explorer.exe (PID: 4488)
  - 美图秀秀_1039_5f08c.exe (PID: 2132)
  - 美图秀秀_1039_5f08c.exe (PID: 4952)
- Reads the machine GUID from the registry
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
  - 美图秀秀_1039_5f08c.exe (PID: 2132)
  - 美图秀秀_1039_5f08c.exe (PID: 4952)
- The sample compiled with english language support
  - chrome.exe (PID: 2484)
  - 美图秀秀_1039_5f08c.exe (PID: 7020)
  - msedge.exe (PID: 3188)
- Creates files in the program directory
  - 美图秀秀_1039_5f08c.exe (PID: 7020)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

xor-url

(PID) Process(7020) 美图秀秀_1039_5f08c.exe

Decrypted-URLs (74)http://chp.f.360.cn/wdcquery

http://cp.uidf.f.360.cn/wpeinfo

http://crl.globalsign.com/ca/gstsacasha384g4.crl0

http://crl.globalsign.com/codesigningrootr45.crl0U

http://crl.globalsign.com/gs/gstimestampingg2.crl0T

http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0

http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0

http://crl.globalsign.com/root-r6.crl0G

http://crl.globalsign.net/root-r3.crl0

http://crl.globalsign.net/root.crl0

http://crl.thawte.com/ThawteTimestampingCA.crl0

http://crl.verisign.com/pca3-g5.crl04

http://dl.360safe.com/gf/%u.cab

http://dl.360safe.com/gf/def.cab

http://down.360safe.com/setup.exe

http://down.360safe.com/setupbeta.exe

http://hao.360.cn/?ln=360ini

http://logo.verisign.com/vslogo.gif04

http://my.360.com

http://my.360safe.com

http://ocsp.globalsign.com/ca/gstsacasha384g40C

http://ocsp.globalsign.com/codesigningrootr450F

http://ocsp.globalsign.com/gsgccr45evcodesignca20200U

http://ocsp.thawte.com0

http://ocsp.verisign.com0

http://ocsp2.globalsign.com/gstimestampingsha2g20

http://ocsp2.globalsign.com/rootr606

http://pinst.360.cn/360safebeta/safebeta_home.cab

http://pinst.360.cn/360sd/360sd_min.cab

http://s.360.cn/hips/update/inst.htm?m=%s&v=%s&s=%d&r=%d&d=%s&oav=%d

http://s.360.cn/safe/install.html?mid=%s&

http://s.360.cn/safe/setupsperr.htm?mid=%s

http://s1.symcb.com/pca3-g5.crl0

http://s2.symcb.com0

http://sd.360.cn

http://sd.360.cn/downloadbeta.html

http://secure.globalsign.com/cacert/codesigningrootr45.crt0A

http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?

http://secure.globalsign.com/cacert/gstimestampingg2.crt0

http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0

http://secure.globalsign.com/cacert/gstsacasha384g4.crt0

http://sf.symcb.com/sf.crl0a

http://sf.symcb.com/sf.crl0f

http://sf.symcb.com/sf.crt0

http://sfdl.360safe.com/inst_gf_popup.exe

http://sfdl.360safe.com/inst_gf_popup_ev.exe

http://sfdl.360safe.com/inst_js_popup.exe

http://sfdl.360safe.com/inst_js_popup_ev.exe

http://stat.sd.360.cn/setupfail.htm?pid=%s&case=%d

http://sv.symcb.com/sv.crl0a

http://sv.symcb.com/sv.crl0f

http://sv.symcb.com/sv.crt0

http://ts-aia.ws.symantec.com/tss-ca-g2.cer0

http://ts-crl.ws.symantec.com/tss-ca-g2.crl0

http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

http://ts-ocsp.ws.symantec.com07

http://www.2345.com/?pic360

http://www.360.cn

http://www.360.cn/killer/360compkill.html

http://www.360.cn/userexperienceimprovement.html

http://www.360.cn/xukexieyi.html#shadu

http://www.360safe.com

http://www.360safe.com/repair.html

http://www.symauth.com/cps0(

http://www.symauth.com/rpa00

https://d.symcb.com/cps0%

https://d.symcb.com/rpa0

https://hao.360.cn/

https://www.globalsign.com/repository/0

https://www.globalsign.com/repository/03

https://www.globalsign.com/repository/06

https://www.verisign.com/cps0*

https://www.verisign.com/rpa

https://www.verisign.com/rpa0

(PID) Process(2132) 美图秀秀_1039_5f08c.exe

Decrypted-URLs (74)http://chp.f.360.cn/wdcquery

http://cp.uidf.f.360.cn/wpeinfo

http://crl.globalsign.com/ca/gstsacasha384g4.crl0

http://crl.globalsign.com/codesigningrootr45.crl0U

http://crl.globalsign.com/gs/gstimestampingg2.crl0T

http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0

http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0

http://crl.globalsign.com/root-r6.crl0G

http://crl.globalsign.net/root-r3.crl0

http://crl.globalsign.net/root.crl0

http://crl.thawte.com/ThawteTimestampingCA.crl0

http://crl.verisign.com/pca3-g5.crl04

http://dl.360safe.com/gf/%u.cab

http://dl.360safe.com/gf/def.cab

http://down.360safe.com/setup.exe

http://down.360safe.com/setupbeta.exe

http://hao.360.cn/?ln=360ini

http://logo.verisign.com/vslogo.gif04

http://my.360.com

http://my.360safe.com

http://ocsp.globalsign.com/ca/gstsacasha384g40C

http://ocsp.globalsign.com/codesigningrootr450F

http://ocsp.globalsign.com/gsgccr45evcodesignca20200U

http://ocsp.thawte.com0

http://ocsp.verisign.com0

http://ocsp2.globalsign.com/gstimestampingsha2g20

http://ocsp2.globalsign.com/rootr606

http://pinst.360.cn/360safebeta/safebeta_home.cab

http://pinst.360.cn/360sd/360sd_min.cab

http://s.360.cn/hips/update/inst.htm?m=%s&v=%s&s=%d&r=%d&d=%s&oav=%d

http://s.360.cn/safe/install.html?mid=%s&

http://s.360.cn/safe/setupsperr.htm?mid=%s

http://s1.symcb.com/pca3-g5.crl0

http://s2.symcb.com0

http://sd.360.cn

http://sd.360.cn/downloadbeta.html

http://secure.globalsign.com/cacert/codesigningrootr45.crt0A

http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?

http://secure.globalsign.com/cacert/gstimestampingg2.crt0

http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0

http://secure.globalsign.com/cacert/gstsacasha384g4.crt0

http://sf.symcb.com/sf.crl0a

http://sf.symcb.com/sf.crl0f

http://sf.symcb.com/sf.crt0

http://sfdl.360safe.com/inst_gf_popup.exe

http://sfdl.360safe.com/inst_gf_popup_ev.exe

http://sfdl.360safe.com/inst_js_popup.exe

http://sfdl.360safe.com/inst_js_popup_ev.exe

http://stat.sd.360.cn/setupfail.htm?pid=%s&case=%d

http://sv.symcb.com/sv.crl0a

http://sv.symcb.com/sv.crl0f

http://sv.symcb.com/sv.crt0

http://ts-aia.ws.symantec.com/tss-ca-g2.cer0

http://ts-crl.ws.symantec.com/tss-ca-g2.crl0

http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

http://ts-ocsp.ws.symantec.com07

http://www.2345.com/?pic360

http://www.360.cn

http://www.360.cn/killer/360compkill.html

http://www.360.cn/userexperienceimprovement.html

http://www.360.cn/xukexieyi.html#shadu

http://www.360safe.com

http://www.360safe.com/repair.html

http://www.symauth.com/cps0(

http://www.symauth.com/rpa00

https://d.symcb.com/cps0%

https://d.symcb.com/rpa0

https://hao.360.cn/

https://www.globalsign.com/repository/0

https://www.globalsign.com/repository/03

https://www.globalsign.com/repository/06

https://www.verisign.com/cps0*

https://www.verisign.com/rpa

https://www.verisign.com/rpa0

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

232

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

524

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=6712 --field-trial-handle=2500,i,1174693239914971654,7733989319622198238,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

556

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2700 --field-trial-handle=2356,i,5518074884980040266,12474189908126809965,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

836

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=7020 --field-trial-handle=2500,i,1174693239914971654,7733989319622198238,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1220

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5540 --field-trial-handle=2500,i,1174693239914971654,7733989319622198238,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1328

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4264 --field-trial-handle=2500,i,1174693239914971654,7733989319622198238,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

1400

"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4268 --field-trial-handle=2500,i,1174693239914971654,7733989319622198238,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

PWA Identity Proxy Host

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

1412

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=3244 --field-trial-handle=1912,i,4871032538157590044,1085720561569302041,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2088

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=6588 --field-trial-handle=2500,i,1174693239914971654,7733989319622198238,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2132

"C:\Users\admin\Downloads\美图秀秀_1039_5f08c.exe"

C:\Users\admin\Downloads\美图秀秀_1039_5f08c.exe

explorer.exe

User:

admin

Company:

360.cn

Integrity Level:

HIGH

Description:

InstallSoft.exe

Exit code:

Version:

2, 0, 0, 1061

Modules

Images
c:\users\admin\downloads\美图秀秀_1039_5f08c.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

xor-url

(PID) Process(2132) 美图秀秀_1039_5f08c.exe

Decrypted-URLs (74)http://chp.f.360.cn/wdcquery

http://cp.uidf.f.360.cn/wpeinfo

http://crl.globalsign.com/ca/gstsacasha384g4.crl0

http://crl.globalsign.com/codesigningrootr45.crl0U

http://crl.globalsign.com/gs/gstimestampingg2.crl0T

http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0

http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0

http://crl.globalsign.com/root-r6.crl0G

http://crl.globalsign.net/root-r3.crl0

http://crl.globalsign.net/root.crl0

http://crl.thawte.com/ThawteTimestampingCA.crl0

http://crl.verisign.com/pca3-g5.crl04

http://dl.360safe.com/gf/%u.cab

http://dl.360safe.com/gf/def.cab

http://down.360safe.com/setup.exe

http://down.360safe.com/setupbeta.exe

http://hao.360.cn/?ln=360ini

http://logo.verisign.com/vslogo.gif04

http://my.360.com

http://my.360safe.com

http://ocsp.globalsign.com/ca/gstsacasha384g40C

http://ocsp.globalsign.com/codesigningrootr450F

http://ocsp.globalsign.com/gsgccr45evcodesignca20200U

http://ocsp.thawte.com0

http://ocsp.verisign.com0

http://ocsp2.globalsign.com/gstimestampingsha2g20

http://ocsp2.globalsign.com/rootr606

http://pinst.360.cn/360safebeta/safebeta_home.cab

http://pinst.360.cn/360sd/360sd_min.cab

http://s.360.cn/hips/update/inst.htm?m=%s&v=%s&s=%d&r=%d&d=%s&oav=%d

http://s.360.cn/safe/install.html?mid=%s&

http://s.360.cn/safe/setupsperr.htm?mid=%s

http://s1.symcb.com/pca3-g5.crl0

http://s2.symcb.com0

http://sd.360.cn

http://sd.360.cn/downloadbeta.html

http://secure.globalsign.com/cacert/codesigningrootr45.crt0A

http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?

http://secure.globalsign.com/cacert/gstimestampingg2.crt0

http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0

http://secure.globalsign.com/cacert/gstsacasha384g4.crt0

http://sf.symcb.com/sf.crl0a

http://sf.symcb.com/sf.crl0f

http://sf.symcb.com/sf.crt0

http://sfdl.360safe.com/inst_gf_popup.exe

http://sfdl.360safe.com/inst_gf_popup_ev.exe

http://sfdl.360safe.com/inst_js_popup.exe

http://sfdl.360safe.com/inst_js_popup_ev.exe

http://stat.sd.360.cn/setupfail.htm?pid=%s&case=%d

http://sv.symcb.com/sv.crl0a

http://sv.symcb.com/sv.crl0f

http://sv.symcb.com/sv.crt0

http://ts-aia.ws.symantec.com/tss-ca-g2.cer0

http://ts-crl.ws.symantec.com/tss-ca-g2.crl0

http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

http://ts-ocsp.ws.symantec.com07

http://www.2345.com/?pic360

http://www.360.cn

http://www.360.cn/killer/360compkill.html

http://www.360.cn/userexperienceimprovement.html

http://www.360.cn/xukexieyi.html#shadu

http://www.360safe.com

http://www.360safe.com/repair.html

http://www.symauth.com/cps0(

http://www.symauth.com/rpa00

https://d.symcb.com/cps0%

https://d.symcb.com/rpa0

https://hao.360.cn/

https://www.globalsign.com/repository/0

https://www.globalsign.com/repository/03

https://www.globalsign.com/repository/06

https://www.verisign.com/cps0*

https://www.verisign.com/rpa

https://www.verisign.com/rpa0

2136

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6436 --field-trial-handle=2500,i,1174693239914971654,7733989319622198238,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

—

msedge.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

LOW

Description:

Microsoft Edge

Exit code:

Version:

122.0.2365.59

Modules

Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

60 442

Read events

58 027

Write events

962

Delete events

1 453

Modification events


(PID) Process:	(4488) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Security and Maintenance\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0
Operation:	write	Name:	CheckSetting
Value: 23004100430042006C006F00620000000000000000000000010000000000000000000000
(PID) Process:	(4488) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:000000000004035A
Operation:	write	Name:	VirtualDesktop
Value: 1000000030304456A48A294F7A40804AB924005FF030B61F
(PID) Process:	(4488) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppBadgeUpdated
Operation:	write	Name:	Chrome
Value: 6
(PID) Process:	(6160) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(6160) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(6160) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(6160) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(6160) chrome.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	write	Name:	usagestats
Value: 0
(PID) Process:	(7024) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:	write	Name:	{2781761E-28E0-4109-99FE-B9D127C57AFE} {56FFCC30-D398-11D0-B2AE-00A0C908FA49} 0xFFFF
Value: 0100000000000000F914F4205778DB01
(PID) Process:	(6160) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Common\Rlz\Events\C
Operation:	write	Name:	C1F
Value: 1

Add for printing

Executable files

103

Suspicious files

1 381

Text files

1 167

Unknown types

Dropped files

PID	Process	Filename		Type
6160	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF1371d8.TMP		—
		MD5:—	SHA256:—
6160	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF1371d8.TMP		—
		MD5:—	SHA256:—
6160	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
6160	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
6160	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF1371e7.TMP		—
		MD5:—	SHA256:—
6160	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF1371e7.TMP		—
		MD5:—	SHA256:—
6160	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF1371e7.TMP		—
		MD5:—	SHA256:—
6160	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old		—
		MD5:—	SHA256:—
6160	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
6160	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RF1371f7.TMP		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

232

TCP/UDP connections

356

DNS requests

256

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1176	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7020	美图秀秀_1039_5f08c.exe	GET	200	171.13.14.66:80	http://s.360.cn/safe/instcomp.htm?soft=2023040419&status=6&pid=3112916&mid=80342cb959da2233832ae840f019ccba&m2=fe9694f777e256d0cc4755a6dd1f6ad7651f60d32bec	unknown	—	—	whitelisted
7020	美图秀秀_1039_5f08c.exe	GET	200	171.13.14.66:80	http://s.360.cn/safe/instcomp.htm?soft=2023040419&status=1&pid=3112916&mid=80342cb959da2233832ae840f019ccba&m2=fe9694f777e256d0cc4755a6dd1f6ad7651f60d32bec	unknown	—	—	whitelisted
7020	美图秀秀_1039_5f08c.exe	GET	200	111.7.66.168:80	http://sfdl.360safe.com/gf/360ini.cab	unknown	—	—	whitelisted
7020	美图秀秀_1039_5f08c.exe	HEAD	200	111.7.66.168:80	http://sfdl.360safe.com/gf/360ini.cab	unknown	—	—	whitelisted
236	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3	unknown	—	—	whitelisted
236	svchost.exe	HEAD	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3	unknown	—	—	whitelisted
7020	美图秀秀_1039_5f08c.exe	GET	200	171.13.14.66:80	http://s.360.cn/hips/update/inst.htm?m=80342cb959da2233832ae840f019ccba&m2=fe9694f777e256d0cc4755a6dd1f6ad7651f60d32bec&v=2001309&s=705&r=0&d=99990001	unknown	—	—	whitelisted
7020	美图秀秀_1039_5f08c.exe	GET	200	171.13.14.66:80	http://s.360.cn/hips/update/inst.htm?m=80342cb959da2233832ae840f019ccba&m2=fe9694f777e256d0cc4755a6dd1f6ad7651f60d32bec&v=2001309&s=700&r=0&d=99990001	unknown	—	—	whitelisted
236	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/imoffpf67hel7kbknqflao2oo4_1.0.2738.0/neifaoindggfcjicffkgpmnlppeffabd_1.0.2738.0_win64_kj4dp5kifwxbdodqls7e5nzhtm.crx3	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6472	chrome.exe	74.125.71.84:443	accounts.google.com	GOOGLE	US	whitelisted
6160	chrome.exe	239.255.255.250:1900	—	—	—	whitelisted
6472	chrome.exe	104.192.108.20:443	dl.360safe.com	Beijing Qihu Technology Company Limited	US	whitelisted
6472	chrome.exe	142.250.185.206:443	sb-ssl.google.com	GOOGLE	US	whitelisted
6472	chrome.exe	142.250.186.164:443	www.google.com	GOOGLE	US	whitelisted
2040	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1176	svchost.exe	20.190.159.23:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
6160	chrome.exe	224.0.0.251:5353	—	—	—	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
dl.360safe.com	104.192.108.20 104.192.108.21 104.192.108.17	whitelisted
accounts.google.com	74.125.71.84	whitelisted
sb-ssl.google.com	142.250.185.206	whitelisted
www.google.com	142.250.186.164	whitelisted
login.live.com	20.190.159.23 20.190.159.0 40.126.31.3 40.126.31.71 20.190.159.128 20.190.159.68 40.126.31.0 40.126.31.1 20.190.160.14 20.190.160.2 40.126.32.134 40.126.32.136 40.126.32.140 20.190.160.4 20.190.160.5 20.190.160.64	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
slscr.update.microsoft.com	52.149.20.212	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted

Threats

PID	Process	Class	Message
5000	msedge.exe	Misc activity	SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
5000	msedge.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
5000	msedge.exe	Potentially Bad Traffic	ET DNS Query for .cc TLD
5000	msedge.exe	Misc activity	SUSPICIOUS [ANY.RUN] Tracking Service (.popin .cc)
7020	美图秀秀_1039_5f08c.exe	Misc activity	ET INFO Observed ZeroSSL SSL/TLS Certificate
2132	美图秀秀_1039_5f08c.exe	Misc activity	ET INFO Observed ZeroSSL SSL/TLS Certificate
4488	explorer.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
4488	explorer.exe	Misc activity	ET INFO Packed Executable Download
4952	美图秀秀_1039_5f08c.exe	Misc activity	ET INFO Observed ZeroSSL SSL/TLS Certificate
4488	explorer.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP

Add for printing

No debug info

General Info

https://dl.360safe.com/software_installer_download/美图秀秀_1039_5f08c.exe

C073B96DFF67982106524BDB0CC56988

7147BC57B94C54FA63DFC1124B62D2A9A9F70404

CDCBA73D353357958DF3013EF08AE1C0A3F370B5BA5A4818E71899F217FFC425

3:N8RwVoLwKdMXJOXxSCCbrA2Ym6UN6n:2muMZOXx2RYNUN6n

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

XORed URL has been found (YARA)

Actions looks like stealing of personal data

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

There is functionality for taking screenshot (YARA)

Process requests binary or script from the Internet

Potential Corporate Privacy Violation

The process verifies whether the antivirus software is installed

Drops 7-zip archiver for unpacking

Write to the desktop.ini file (may be used to cloak folders)

INFO

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Manual execution by a user

Checks supported languages

Reads the computer name

Reads Environment values

Application launched itself

Checks proxy server information

Creates files or folders in the user directory

Process checks computer location settings

Create files in a temporary directory

The sample compiled with chinese language support

Reads the machine GUID from the registry

The sample compiled with english language support

Creates files in the program directory

Malware configuration

xor-url

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Malware configuration

xor-url

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings