File name:

screenrecorder_8f3b3b68.exe

Full analysis: https://app.any.run/tasks/33918204-1dd6-4cff-937d-57b26c85fef1
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Analysis date: March 06, 2020, 09:19:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D24600160AA9E5729B2F6BC35A510CBC

SHA1:

D7D21EC36F321A7168E72375797D11CF9B714C1A

SHA256:

DF41F7A58DEDF5DDE4921485977C265A77C81A6B125B1B8609B9B025158BAC86

SSDEEP:

24576:6KQ8WgNLfz1oCp6Teyae/sddDo/C+VyLAgSv8bNimsedQuZjqCQ5:jQsFzz6TeVcsTo/C+V8neuhnq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Jnz.exe (PID: 3580)
    • Loads dropped or rewritten executable

      • screenrecorder_8f3b3b68.exe (PID: 2500)
  • SUSPICIOUS

    • Creates files in the user directory

      • screenrecorder_8f3b3b68.exe (PID: 2500)
    • Executable content was dropped or overwritten

      • screenrecorder_8f3b3b68.exe (PID: 2500)
    • Low-level read access rights to disk partition

      • screenrecorder_8f3b3b68.exe (PID: 2500)
    • Connects to unusual port

      • Jnz.exe (PID: 3580)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:02:28 11:08:04+01:00
PEType: PE32
LinkerVersion: 9
CodeSize: 346624
InitializedDataSize: 839168
UninitializedDataSize: -
EntryPoint: 0x33d6b
OSVersion: 5
ImageVersion: -
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 3.5.14.146
ProductVersionNumber: 3.5.14.146
FileFlagsMask: 0x003f
FileFlags: Private build, Special build
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
Comments: hilpds.exe
CompanyName: 苏州开心盒子软件有限公司
FileDescription: 嗨格式录屏大师
FileVersion: 3.5.14.146
InternalName: 嗨格式录屏大师
LegalCopyright: 开心盒子软件 (C) 2020
OriginalFileName: hilpds.exe
PrivateBuild: 3.5.14.146
ProductName: 嗨格式录屏大师
ProductVersion: 3.5.14.146
SpecialBuild: 3.5.14.146

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 28-Feb-2020 10:08:04
Detected languages:
  • Chinese - PRC
Debug artifacts:
  • E:\BasePlatform\tags\SDK_53\Installer_butterfly\HIRECORDER\hilpds.pdb
Comments: hilpds.exe
CompanyName: 苏州开心盒子软件有限公司
FileDescription: 嗨格式录屏大师
FileVersion: 3.5.14.146
InternalName: 嗨格式录屏大师
LegalCopyright: 开心盒子软件 (C) 2020
OriginalFilename: hilpds.exe
PrivateBuild: 3.5.14.146
ProductName: 嗨格式录屏大师
ProductVersion: 3.5.14.146
SpecialBuild: 3.5.14.146

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 28-Feb-2020 10:08:04
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000548D1
0x00054A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.62041
.rdata
0x00056000
0x000113CE
0x00011400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.29653
.data
0x00068000
0x0000491C
0x00002800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.85078
.rsrc
0x0006D000
0x000B12E0
0x000B1400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.89228
.reloc
0x0011F000
0x00005A8A
0x00005C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
5.23666

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.87405
392
UNKNOWN
Chinese - PRC
RT_MANIFEST
2
3.97888
2920
UNKNOWN
Chinese - PRC
RT_ICON
3
3.86976
5160
UNKNOWN
Chinese - PRC
RT_ICON
4
3.77658
11560
UNKNOWN
Chinese - PRC
RT_ICON
5
3.67664
20520
UNKNOWN
Chinese - PRC
RT_ICON
6
7.98792
53747
UNKNOWN
Chinese - PRC
RT_ICON
102
2.75765
90
UNKNOWN
Chinese - PRC
RT_GROUP_ICON
103
7.89831
127181
UNKNOWN
Chinese - PRC
BINARYSYSTEM
105
7.99777
501275
UNKNOWN
Chinese - PRC
BINARYSYSTEM

Imports

ADVAPI32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
WINMM.dll
WS2_32.dll
gdiplus.dll
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start screenrecorder_8f3b3b68.exe jnz.exe screenrecorder_8f3b3b68.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2500"C:\Users\admin\AppData\Local\Temp\screenrecorder_8f3b3b68.exe" C:\Users\admin\AppData\Local\Temp\screenrecorder_8f3b3b68.exe
explorer.exe
User:
admin
Company:
苏州开心盒子软件有限公司
Integrity Level:
HIGH
Description:
嗨格式录屏大师
Exit code:
0
Version:
3.5.14.146
Modules
Images
c:\users\admin\appdata\local\temp\screenrecorder_8f3b3b68.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3000"C:\Users\admin\AppData\Local\Temp\screenrecorder_8f3b3b68.exe" C:\Users\admin\AppData\Local\Temp\screenrecorder_8f3b3b68.exeexplorer.exe
User:
admin
Company:
苏州开心盒子软件有限公司
Integrity Level:
MEDIUM
Description:
嗨格式录屏大师
Exit code:
3221226540
Version:
3.5.14.146
Modules
Images
c:\users\admin\appdata\local\temp\screenrecorder_8f3b3b68.exe
c:\systemroot\system32\ntdll.dll
3580"C:\Users\admin\AppData\Roaming\AuntecPkg\Jnz\Jnz.exe" -n 2D28A83C-7F18-4960-8FFC-16364F08E0EE -s 65536 -p 2500C:\Users\admin\AppData\Roaming\AuntecPkg\Jnz\Jnz.exe
screenrecorder_8f3b3b68.exe
User:
admin
Company:
苏州开心盒子软件有限公司
Integrity Level:
HIGH
Description:
Jnz Executable File
Exit code:
0
Version:
1, 0, 0, 1
Modules
Images
c:\users\admin\appdata\roaming\auntecpkg\jnz\jnz.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
Total events
18
Read events
15
Write events
3
Delete events
0

Modification events

(PID) Process:(2500) screenrecorder_8f3b3b68.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\{71162BF7C2071D480629AF113CF0EB2D}\Collect
Operation:writeName:MID
Value:
af8614516b5ab4a3f780dcfab88d21ff
(PID) Process:(2500) screenrecorder_8f3b3b68.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\{71162BF7C2071D480629AF113CF0EB2D}\Collect
Operation:writeName:GUID
Value:
61A345B2-7D42-414D-AE91-A2A425BFEDEC
(PID) Process:(2500) screenrecorder_8f3b3b68.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\{71162BF7C2071D480629AF113CF0EB2D}\Collect
Operation:writeName:TIME
Value:
1583486382
Executable files
2
Suspicious files
2
Text files
86
Unknown types
0

Dropped files

PID
Process
Filename
Type
2500screenrecorder_8f3b3b68.exeC:\AuntecPkg_1583486382\Jnz.zipcompressed
MD5:
SHA256:
2500screenrecorder_8f3b3b68.exeC:\AuntecPkg_1583486382\Resource.zipcompressed
MD5:
SHA256:
2500screenrecorder_8f3b3b68.exeC:\AuntecPkg_1583486382\images\custom_btn_browse_hover.pngimage
MD5:
SHA256:
2500screenrecorder_8f3b3b68.exeC:\AuntecPkg_1583486382\images\custom_bg.pngimage
MD5:
SHA256:
2500screenrecorder_8f3b3b68.exeC:\AuntecPkg_1583486382\images\custom_btn_install_click.pngimage
MD5:
SHA256:
2500screenrecorder_8f3b3b68.exeC:\AuntecPkg_1583486382\images\custom_btn_install_disable.pngimage
MD5:
SHA256:
2500screenrecorder_8f3b3b68.exeC:\AuntecPkg_1583486382\images\custom_btn_back_click.pngimage
MD5:
SHA256:
2500screenrecorder_8f3b3b68.exeC:\AuntecPkg_1583486382\images\custom_btn_back_hover.pngimage
MD5:
SHA256:
2500screenrecorder_8f3b3b68.exeC:\AuntecPkg_1583486382\images\custom_btn_browse_click.pngimage
MD5:
SHA256:
2500screenrecorder_8f3b3b68.exeC:\AuntecPkg_1583486382\images\custom_word_available.pngimage
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
16
DNS requests
5
Threats
14

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2500
screenrecorder_8f3b3b68.exe
HEAD
200
125.77.142.171:80
http://cdn-desktop-oss.aunbox.cn/screenrecorder/software/1.1.22.133/install.exe
CN
malicious
2500
screenrecorder_8f3b3b68.exe
GET
125.77.142.171:80
http://cdn-desktop-oss.aunbox.cn/screenrecorder/software/1.1.22.133/install.exe
CN
malicious
2500
screenrecorder_8f3b3b68.exe
POST
200
101.37.111.213:80
http://support.aunapi.com/v1.1/installer/package/index
CN
text
747 b
malicious
3580
Jnz.exe
POST
200
47.98.172.50:8106
http://sa.aunload.com:8106/sa?project=production
CN
unknown
3580
Jnz.exe
POST
101.37.111.213:80
http://support.aunapi.com/v1/log/function-log
CN
malicious
3580
Jnz.exe
POST
101.37.111.213:80
http://support.aunapi.com/v1/log/function-log
CN
malicious
3580
Jnz.exe
POST
200
101.37.111.213:80
http://support.aunapi.com/v1/log/function-log
CN
text
33 b
malicious
3580
Jnz.exe
POST
200
101.37.111.213:80
http://support.aunapi.com/v1/report/install
CN
text
33 b
malicious
3580
Jnz.exe
POST
200
101.37.111.213:80
http://support.aunapi.com/v1/log/user-operate
CN
text
33 b
malicious
3580
Jnz.exe
POST
200
101.37.111.213:80
http://support.aunapi.com/v1/log/user-operate
CN
text
33 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2500
screenrecorder_8f3b3b68.exe
101.37.111.213:80
support.aunapi.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious
3580
Jnz.exe
101.37.111.213:80
support.aunapi.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious
3580
Jnz.exe
47.98.172.50:8106
sa.aunload.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
2500
screenrecorder_8f3b3b68.exe
125.77.142.171:80
cdn-desktop-oss.aunbox.cn
No.31,Jin-rong Street
CN
malicious

DNS requests

Domain
IP
Reputation
support.aunapi.com
  • 101.37.111.213
malicious
sa.aunload.com
  • 47.98.172.50
unknown
cdn-desktop-oss.aunbox.cn
  • 125.77.142.171
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
Misc activity
ADWARE [PTsecurity] Kunshan Aunbox software
Misc activity
ADWARE [PTsecurity] Kunshan Aunbox software
Misc activity
ADWARE [PTsecurity] Kunshan Aunbox software
Misc activity
ADWARE [PTsecurity] Kunshan Aunbox software
Misc activity
ADWARE [PTsecurity] Kunshan Aunbox software
Misc activity
ADWARE [PTsecurity] Kunshan Aunbox software
Potential Corporate Privacy Violation
ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Internet Explorer Version MSIE 5.
A Network Trojan was detected
ET TROJAN GENERIC Likely Malicious Fake IE Downloading .exe
Misc activity
ADWARE [PTsecurity] Kunshan Aunbox software
No debug info