URL:

https://www.hofosoft.cn/download/setup.zip

Full analysis: https://app.any.run/tasks/8ec90874-b21a-454d-bb5f-062b9a9fd295
Verdict: Malicious activity
Analysis date: June 26, 2024, 09:36:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

6542E114D32B3AD8B6B9465BA7BCA623

SHA1:

D84354A2DB784256F56B65CAB93CCBE7AB89A672

SHA256:

DF621408E2E421049D1197A48BB5C6A4E0E5C8B8CC4373D483766719E8F05CFC

SSDEEP:

3:N8DSLuKWKZFKLxQhc:2OLsHtuc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 3396)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3400)

    • Application launched itself

      • iexplore.exe (PID: 3400)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3396"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3400 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3400"C:\Program Files\Internet Explorer\iexplore.exe" "https://www.hofosoft.cn/download/setup.zip"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
17 300
Read events
17 218
Write events
74
Delete events
8

Modification events

(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31115180
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31115180
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3400) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
16
Text files
13
Unknown types
2

Dropped files

PID
Process
Filename
Type
3396iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329Dbinary
MD5:A38BD23BEB883BA5BD535EBFCC571260
SHA256:0F65D50F140937E20E0271A0F9429D660B63F359EE3316AF1BCCD5098E61D8B3
3400iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF1A06F8C8C916A1A4.TMPgmc
MD5:20C358563A73FD95EF0519CE52324490
SHA256:F8F26AE6327CDB25BF080CB2676598F4B10B91209F285DEC93333630ED59A69A
3396iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_BE25D0FE540174A4A87E2295C663329Dder
MD5:6AD9FF12AC824134BC0EE48DE10F4B18
SHA256:16F27913C55D1C1D8D3A732E8CAAE00B08FAB6411BDDB5905410EB790EEC1563
3396iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8F5C3F193F0DCE36818699C1790A29CCder
MD5:6F8B9D1BADBB3F6DAF2EE99AF881A2BD
SHA256:F8AB3428267D7958C4A91C10628847697D130CFA07E0EBCDD62400F17B571ABF
3396iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\setup[1].zipcompressed
MD5:337054A55F05EE96562E67B557285237
SHA256:21CA675586A0FAB4A97303890EDAD723A5DA594F597D2AAC01C97EFCF1ECC860
3396iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8F5C3F193F0DCE36818699C1790A29CCbinary
MD5:26A5CF041282BED10968D1EADF62D7F0
SHA256:21C0C77BC2841811193913C8A4924C7B605DA135A22014AF15CF6EAB7513F538
3400iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{8276FD2F-339F-11EF-9AAA-12A9866C77DE}.datbinary
MD5:0C6D0BA875147851F2F6878720ECD046
SHA256:278FD1A8E65A63C10827598B058673C23BF415DA2D6D4767BD4B7FEAD00AEBD3
3396iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\setup.zip.42vbi6o.partialcompressed
MD5:A2C465596625C8511E2FD7CB67C3E268
SHA256:B09E1629F710F139E1F025AFE484A527321CDC47282564BF3D7C487AF4CE56EE
3400iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:5F0847E5A15AF2D7923393C3CD30C5D1
SHA256:28766E681BF500E9CDDBCD3275CD898C4165354AD087C2461D9EE374A7E2221E
3400iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xmlxml
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10
SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
27
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3396
iexplore.exe
GET
304
23.53.40.72:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f01b97c412483db3
unknown
unknown
3396
iexplore.exe
GET
200
172.64.149.23:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEQCyDO1VLjGgvzQ6dSh0O%2Bmr
unknown
unknown
3396
iexplore.exe
GET
200
117.27.246.196:80
http://ocsp.trust-provider.cn/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQDhvjmfMdSVsHZ9u52p9jqu3rd8gQUXzp8ERB%2BDGdxYdyLo7UAA2f1VxwCEQD7t2y2wAkpnEVSfKX7m3Is
unknown
unknown
1372
svchost.exe
GET
23.53.40.74:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
unknown
3400
iexplore.exe
GET
304
23.53.40.74:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9f48773d69d6e4e3
unknown
unknown
3400
iexplore.exe
GET
304
23.53.40.74:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a8430b24b1229537
unknown
unknown
3400
iexplore.exe
GET
304
23.53.40.74:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?99980466a970dac7
unknown
unknown
3400
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
1372
svchost.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3396
iexplore.exe
175.178.242.139:443
www.hofosoft.cn
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
1060
svchost.exe
224.0.0.252:5355
unknown
3396
iexplore.exe
23.53.40.72:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3396
iexplore.exe
172.64.149.23:80
ocsp.comodoca.com
CLOUDFLARENET
US
unknown
3396
iexplore.exe
117.27.246.196:80
ocsp.trust-provider.cn
Fuzhou
CN
unknown
1372
svchost.exe
23.53.40.74:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3400
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
www.hofosoft.cn
  • 175.178.242.139
unknown
ctldl.windowsupdate.com
  • 23.53.40.72
  • 23.53.40.49
  • 23.53.40.18
  • 23.53.40.40
  • 23.53.40.65
  • 23.53.40.74
  • 23.53.40.56
  • 23.53.40.34
  • 23.53.40.59
  • 23.53.40.73
  • 23.53.40.50
  • 23.53.40.43
whitelisted
ocsp.comodoca.com
  • 172.64.149.23
  • 104.18.38.233
whitelisted
ocsp.trust-provider.cn
  • 117.27.246.196
  • 140.249.150.23
  • 112.50.95.196
  • 36.248.38.196
  • 183.201.243.134
malicious
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.hofosoft.cn/download/setup.zip