URL:

https://www.hofosoft.cn/download/setup.zip

Full analysis: https://app.any.run/tasks/8ec90874-b21a-454d-bb5f-062b9a9fd295
Verdict: Malicious activity
Analysis date: June 26, 2024, 09:36:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

6542E114D32B3AD8B6B9465BA7BCA623

SHA1:

D84354A2DB784256F56B65CAB93CCBE7AB89A672

SHA256:

DF621408E2E421049D1197A48BB5C6A4E0E5C8B8CC4373D483766719E8F05CFC

SSDEEP:

3:N8DSLuKWKZFKLxQhc:2OLsHtuc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3400)

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 3396)

    • Application launched itself

      • iexplore.exe (PID: 3400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3396"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3400 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3400"C:\Program Files\Internet Explorer\iexplore.exe" "https://www.hofosoft.cn/download/setup.zip"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
17 300
Read events
17 218
Write events
74
Delete events
8

Modification events

(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31115180
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31115180
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
16
Text files
13
Unknown types
2

Dropped files

PID
Process
Filename
Type
3396iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\setup.zip.42vbi6o.partialcompressed
MD5:A2C465596625C8511E2FD7CB67C3E268
SHA256:B09E1629F710F139E1F025AFE484A527321CDC47282564BF3D7C487AF4CE56EE
3400iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\urlblockindex[1].binbinary
MD5:FA518E3DFAE8CA3A0E495460FD60C791
SHA256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
3396iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8F5C3F193F0DCE36818699C1790A29CCder
MD5:6F8B9D1BADBB3F6DAF2EE99AF881A2BD
SHA256:F8AB3428267D7958C4A91C10628847697D130CFA07E0EBCDD62400F17B571ABF
3400iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{8276FD2F-339F-11EF-9AAA-12A9866C77DE}.datbinary
MD5:0C6D0BA875147851F2F6878720ECD046
SHA256:278FD1A8E65A63C10827598B058673C23BF415DA2D6D4767BD4B7FEAD00AEBD3
3400iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF1A06F8C8C916A1A4.TMPgmc
MD5:20C358563A73FD95EF0519CE52324490
SHA256:F8F26AE6327CDB25BF080CB2676598F4B10B91209F285DEC93333630ED59A69A
3400iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:5F0847E5A15AF2D7923393C3CD30C5D1
SHA256:28766E681BF500E9CDDBCD3275CD898C4165354AD087C2461D9EE374A7E2221E
3400iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64Abinary
MD5:6349EB91EE09F3EBFB0266724829881B
SHA256:34E2E0E17BAEB3D4955F1844F16ED9AA6317FDABE5C763F4C27F044512F2EE65
3400iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:98A5342FD54410245D5087B633E664F1
SHA256:F8025E3C10EB0C905A141CDB0A6AA2E09270280E8C43ABE411D37478675729F9
3400iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\231IN9BQ.txttext
MD5:EA29DFC3C5D9C8B8CBC05B011DD49351
SHA256:803F3D22C88F8188462B4A9AE61D6F4238051D3F5A41E1C0DF811F431C95D42C
3400iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xmlxml
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10
SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
27
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3396
iexplore.exe
GET
304
23.53.40.72:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f01b97c412483db3
unknown
unknown
3396
iexplore.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEQCyDO1VLjGgvzQ6dSh0O%2Bmr
unknown
unknown
3396
iexplore.exe
GET
200
117.27.246.196:80
http://ocsp.trust-provider.cn/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQDhvjmfMdSVsHZ9u52p9jqu3rd8gQUXzp8ERB%2BDGdxYdyLo7UAA2f1VxwCEQD7t2y2wAkpnEVSfKX7m3Is
unknown
unknown
1372
svchost.exe
GET
23.53.40.74:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
3400
iexplore.exe
GET
304
23.53.40.74:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a8430b24b1229537
unknown
unknown
3400
iexplore.exe
GET
304
23.53.40.74:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9f48773d69d6e4e3
unknown
unknown
3400
iexplore.exe
GET
304
23.53.40.74:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?99980466a970dac7
unknown
unknown
3400
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
1372
svchost.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3396
iexplore.exe
175.178.242.139:443
www.hofosoft.cn
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
1060
svchost.exe
224.0.0.252:5355
unknown
3396
iexplore.exe
23.53.40.72:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3396
iexplore.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
unknown
3396
iexplore.exe
117.27.246.196:80
ocsp.trust-provider.cn
Fuzhou
CN
unknown
1372
svchost.exe
23.53.40.74:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3400
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
www.hofosoft.cn
  • 175.178.242.139
unknown
ctldl.windowsupdate.com
  • 23.53.40.72
  • 23.53.40.49
  • 23.53.40.18
  • 23.53.40.40
  • 23.53.40.65
  • 23.53.40.74
  • 23.53.40.56
  • 23.53.40.34
  • 23.53.40.59
  • 23.53.40.73
  • 23.53.40.50
  • 23.53.40.43
whitelisted
ocsp.comodoca.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.trust-provider.cn
  • 117.27.246.196
  • 140.249.150.23
  • 112.50.95.196
  • 36.248.38.196
  • 183.201.243.134
malicious
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.hofosoft.cn/download/setup.zip