File name:	dc888213fe54dda5afe3fec6b3056e09d3fc39abbea386d60ea53032a0c60e05.bin
Full analysis:	https://app.any.run/tasks/beb4f5ce-04de-4220-9b8f-fb82e64e1a71
Verdict:	Malicious activity
Analysis date:	April 14, 2025, 08:41:50
OS:	Windows 11 Professional (build: 22000, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	11E200F5CC0E80DF5D607CB978E0C8C8
SHA1:	E3DEA262D4601845BB3A5530B8813E4D1B536E0F
SHA256:	DC888213FE54DDA5AFE3FEC6B3056E09D3FC39ABBEA386D60EA53032A0C60E05
SSDEEP:	49152:M+F+4OBr+pylBAUobdiV159RqOaTde+eEkyE/cyuKkcQE5RHaokMuTnrIJVagUcj:bs3F+uiXbdiVb9Pwde+eE7E/clKFR6dQ

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2022:12:31 13:12:49+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	12
CodeSize:	29696
InitializedDataSize:	429056
UninitializedDataSize:	16896
EntryPoint:	0x3cbb
OSVersion:	5.1
ImageVersion:	6
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Windows, Chinese (Simplified)
Comments:	-
CompanyName:	-
FileDescription:	Deepseek本地部署工具v1卸载程序
FileVersion:	1.0.0.0
LegalCopyright:	(C) 2024 All Rights Reserved.
LegalTrademarks:	azSetup
ProductName:	Deepseek本地部署工具v1
ProductVersion:	25.2.21.9


(PID) Process:	(3756) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS
Operation:	write	Name:	PerfMMFileName
Value: Global\MMF_BITSb93cb6aa-57fa-40e8-893a-c6bc7a1bb7f5
(PID) Process:	(3372) OneDrive.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal
Operation:	write	Name:	OneDriveDeviceId
Value: 0b720417-1600-a13e-1ed3-62f717ccf726
(PID) Process:	(3372) OneDrive.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\OneDrive
Operation:	delete value	Name:	UpdateXMLTimestamp
Value: �ꬵ퐛ǘ
(PID) Process:	(3372) OneDrive.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(3372) OneDrive.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(3372) OneDrive.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(3372) OneDrive.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(3372) OneDrive.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\OneDrive
Operation:	write	Name:	SCOOBEOptIn
Value: 256
(PID) Process:	(3372) OneDrive.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\OneDrive\Accounts\Personal
Operation:	delete value	Name:	KFMLockedFilesCache
Value:
(PID) Process:	(3372) OneDrive.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:

PID	Process	Filename		Type
1784	dc888213fe54dda5afe3fec6b3056e09d3fc39abbea386d60ea53032a0c60e05.bin.exe	C:\Users\admin\AppData\Local\Temp\nss31E3.tmp\System.dll		executable
		MD5:553D576D77585B9E3A2819256694E81F	SHA256:96975506CFA9563DBDF01E03E8C4450B0BA085D04B204C7FFC372687E426BFC4
2268	dc888213fe54dda5afe3fec6b3056e09d3fc39abbea386d60ea53032a0c60e05.bin.exe	C:\Users\admin\AppData\Local\Temp\azSetup\azSetupStep\UnInstall\uninstall_cancel_normal.png		image
		MD5:C1C2CEA8B5B944463E3BACB0279504B7	SHA256:71C1DB9C373AE2AFEB6DBCA0550D492635759175D54368F7482ACBCF41393D96
2268	dc888213fe54dda5afe3fec6b3056e09d3fc39abbea386d60ea53032a0c60e05.bin.exe	C:\Users\admin\AppData\Local\Temp\azSetup\azSetupStep\UnInstall\en\unInstallCompleteTopBg.png		image
		MD5:2DAFC27E297FC4E01B29401C323C5F4E	SHA256:C7C56B261D03B235AAE5EBE9358CA1B5A4A3E7C2436959992B4DD6367B30F723
2268	dc888213fe54dda5afe3fec6b3056e09d3fc39abbea386d60ea53032a0c60e05.bin.exe	C:\Users\admin\AppData\Local\Temp\azSetup\azSetupStep\UnInstall\uninstall_continue_pressed.png		image
		MD5:8AA4FE6D3EBDAC59A88C9020D09A5AB5	SHA256:93C1E38A34EF52B4E666F3BFDAFADB94B24C2773E284971FB0069FC8DE53404B
2268	dc888213fe54dda5afe3fec6b3056e09d3fc39abbea386d60ea53032a0c60e05.bin.exe	C:\Users\admin\AppData\Local\Temp\azSetup\azSetupStep\UnInstall\Uninstall_zh-CN.xml		xml
		MD5:4C57A6B4139A5126FDFCF9C0AFA77A0E	SHA256:296653ABADBDA6130BE8F2EFED0C50C5A936CED1EC5DCC43A4ED11CED3478923
2268	dc888213fe54dda5afe3fec6b3056e09d3fc39abbea386d60ea53032a0c60e05.bin.exe	C:\Users\admin\AppData\Local\Temp\nss32CD.tmp\System.dll		executable
		MD5:553D576D77585B9E3A2819256694E81F	SHA256:96975506CFA9563DBDF01E03E8C4450B0BA085D04B204C7FFC372687E426BFC4
2268	dc888213fe54dda5afe3fec6b3056e09d3fc39abbea386d60ea53032a0c60e05.bin.exe	C:\Users\admin\AppData\Local\Temp\azSetup\azSetupStep\UnInstall\zh-CN\unInstallTopBg.png		image
		MD5:2DAFC27E297FC4E01B29401C323C5F4E	SHA256:C7C56B261D03B235AAE5EBE9358CA1B5A4A3E7C2436959992B4DD6367B30F723
2268	dc888213fe54dda5afe3fec6b3056e09d3fc39abbea386d60ea53032a0c60e05.bin.exe	C:\Users\admin\AppData\Local\Temp\azSetup\azSetupStep\UnInstall\uninstall_cancel_hover.png		image
		MD5:AC809DADB98FF4829019B0416EAD2B63	SHA256:9AC772BC07A2706C97FD98779392A0F553334766C41977B9CEEC0E317DF29E9F
2268	dc888213fe54dda5afe3fec6b3056e09d3fc39abbea386d60ea53032a0c60e05.bin.exe	C:\Users\admin\AppData\Local\Temp\azSetup\azSetupStep\UnInstall\checkbox_checked_hover.png		image
		MD5:26C2164F1B637A05BFE00A44B51C7D5B	SHA256:077C5B687D9EE02FBBFFD001E034A5091EF178AAE29ACA46551DAC2369908F1C
2268	dc888213fe54dda5afe3fec6b3056e09d3fc39abbea386d60ea53032a0c60e05.bin.exe	C:\Users\admin\AppData\Local\Temp\azSetup\azSetupStep\UnInstall\uninstall_continue_normal.png		image
		MD5:5248DEC5373B98EBEAFDD19FAC77181A	SHA256:07EBBE4DCD9E225A3B5E11026D8924B11D57875CA83DC8C5F50DE57BEB25D311

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4816	smartscreen.exe	GET	200	199.232.214.172:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ac86e86a44b6e862	unknown	—	—	whitelisted
4816	smartscreen.exe	GET	200	2.23.77.188:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
3372	OneDrive.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
1352	svchost.exe	GET	200	2.16.164.35:80	http://www.msftconnecttest.com/connecttest.txt	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	23.50.131.216:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1f7427a15856d6f2	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	23.50.131.216:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?85bdfca370ee5867	unknown	—	—	whitelisted
3640	svchost.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	23.50.131.216:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?49fb406ef3f96737	unknown	—	—	whitelisted
2988	OfficeClickToRun.exe	GET	200	2.17.190.73:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D	unknown	—	—	whitelisted
2768	svchost.exe	GET	200	23.50.131.216:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ee594ad3c4d99f0e	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
1352	svchost.exe	2.16.164.42:80	—	Akamai International B.V.	NL	unknown
4816	smartscreen.exe	4.231.66.184:443	checkappexec.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4816	smartscreen.exe	199.232.214.172:80	ctldl.windowsupdate.com	FASTLY	US	whitelisted
4816	smartscreen.exe	2.23.77.188:80	ocsp.digicert.com	AKAMAI-AS	DE	whitelisted
3560	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3952	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
3756	svchost.exe	23.212.222.21:443	fs.microsoft.com	AKAMAI-AS	AU	whitelisted
3372	OneDrive.exe	52.123.129.14:443	config.teams.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
3372	OneDrive.exe	13.74.129.92:443	g.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3756	svchost.exe	13.74.129.92:443	g.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
google.com	142.250.185.110	whitelisted
checkappexec.microsoft.com	4.231.66.184	whitelisted
ctldl.windowsupdate.com	199.232.214.172 199.232.210.172 23.50.131.216 23.50.131.200	whitelisted
ocsp.digicert.com	2.23.77.188 2.17.190.73	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
fs.microsoft.com	23.212.222.21	whitelisted
g.live.com	13.74.129.92	whitelisted
config.teams.microsoft.com	52.123.129.14 52.123.128.14	whitelisted
oneclient.sfx.ms	23.48.23.11 23.48.23.47 23.48.23.59 23.48.23.13 23.48.23.52 23.48.23.61 23.48.23.24 23.48.23.64 23.48.23.21 23.48.23.43 23.48.23.14 2.19.126.152 2.19.126.147	unknown
self.events.data.microsoft.com	20.50.80.209 40.79.141.154	whitelisted

PID	Process	Class	Message
1352	svchost.exe	Misc activity	ET INFO Microsoft Connection Test
1664	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)

Process	Message
OneDrive.exe	Could not attach Keys property to: ExitDialog_QMLTYPE_17(0x1917a2ef0f0) is not an Item
OneDrive.exe	Could not attach Keys property to: ConfirmDialog_QMLTYPE_18(0x1917a335a40) is not an Item
OneDrive.exe	Could not attach Keys property to: ConfirmDialog_QMLTYPE_18(0x19179e7cc50) is not an Item
OneDrive.exe	qrc:/ImageConfirmDialog.qml:53:13: QML Image: Cannot open: file:///C:%5CProgram Files%5CMicrosoft OneDrive%5C25.051.0317.0003%5Cimages%5ClightTheme%5C
OneDrive.exe	qrc:/inline:1:462: Unable to assign [undefined] to QColor
OneDrive.exe	qrc:/WizardWindow.qml:163:5: QML Rectangle: Binding loop detected for property "height"
OneDrive.exe	qrc:/WizardWindow.qml:163:5: QML Rectangle: Binding loop detected for property "width"
OneDrive.exe	qrc:/WizardWindow.qml:163:5: QML Rectangle: Binding loop detected for property "width"
OneDrive.exe	qml: Loader src: qrc:/WizardEmailHRDPage.qml status: 2
OneDrive.exe	qrc:/KoreanMarketingInfo.qml:176:9: QML Row: Cannot specify left, right, horizontalCenter, fill or centerIn anchors for items inside Row. Row will not function.

General Info

dc888213fe54dda5afe3fec6b3056e09d3fc39abbea386d60ea53032a0c60e05.bin

11E200F5CC0E80DF5D607CB978E0C8C8

E3DEA262D4601845BB3A5530B8813E4D1B536E0F

DC888213FE54DDA5AFE3FEC6B3056E09D3FC39ABBEA386D60EA53032A0C60E05

49152:M+F+4OBr+pylBAUobdiV159RqOaTde+eEkyE/cyuKkcQE5RHaokMuTnrIJVagUcj:bs3F+uiXbdiVb9Pwde+eE7E/clKFR6dQ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Scans artifacts that could help determine the target

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Starts itself from another location

Reads the Internet Settings

Reads security settings of Internet Explorer

Reads settings of System Certificates

Executes as Windows Service

Process drops legitimate windows executable

Application launched itself

There is functionality for taking screenshot (YARA)

The process drops C-runtime libraries

Changes Internet Explorer settings (feature browser emulation)

Creates/Modifies COM task schedule object

Creates a software uninstall entry

Write to the desktop.ini file (may be used to cloak folders)

Reads the date of Windows installation

Reads Microsoft Outlook installation path

Reads Internet Explorer settings

INFO

Checks supported languages

The sample compiled with chinese language support

Reads the computer name

Create files in a temporary directory

Creates files or folders in the user directory

Checks proxy server information

Reads Environment values

Reads the machine GUID from the registry

Reads the software policy settings

Creates files in the program directory

The sample compiled with english language support

The sample compiled with portuguese language support

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events