Malware analysis usb转串口万能驱动合集_102_636788.exe Malicious activity

Add for printing

File name:	usb转串口万能驱动合集_102_636788.exe
Full analysis:	https://app.any.run/tasks/4a2deae2-c6ed-4eaa-92a4-67c48d03bc13
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	February 03, 2026, 09:28:39
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	qihoo360 adware anti-evasion teamviewer delphi stealer pua
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:	3CAFC6916F3B9414B5A0D4DF8812CB06
SHA1:	0BC86F3BF7E158047A15078704288107C9B07603
SHA256:	E9879094BC434B5BA7922A85DFE6D20DDFF9EBC61007770367E395B46A965CA0
SSDEEP:	98304:DebFT2lnDdE7wFc0dGBfRlkW4pDHNEsNZxXUyRPkYTXaI2ELqWOjuxbzD4Dv1k6Q:8qkC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
Google Chrome (133.0.6943.127)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (133.0.3065.92)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (136.0)
Mozilla Maintenance Service (136.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes settings of System certificates
  - lsass.exe (PID: 804)
  - SoftMgr.exe (PID: 9404)
- Registers / Runs the DLL via REGSVR32.EXE
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
  - SoftMgr.exe (PID: 9404)
  - softmgrsvr.exe (PID: 9244)
  - SoftupNotify.exe (PID: 8048)
- Proxy execution via Explorer
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
- Changes the autorun value in the registry
  - huabaosetup.exe (PID: 10168)
- QIHOO360 mutex has been found
  - SoftMgr.exe (PID: 9404)
  - softmgrsvr.exe (PID: 9244)
  - SoftMgrUpdate.exe (PID: 8252)
  - SoftMgr.exe (PID: 10004)
  - SoftMgr.exe (PID: 10048)
  - SoftMgr.exe (PID: 9988)
  - SoftMgr.exe (PID: 2912)
  - SoftMgrUpdate.exe (PID: 7204)
  - SoftMgr.exe (PID: 6692)
  - SoftMgr.exe (PID: 10080)
  - SoftMgr.exe (PID: 3388)
  - SoftMgrUpdate.exe (PID: 1932)
  - SoftMgr.exe (PID: 7548)
  - SoftMgr.exe (PID: 2432)
  - SoftMgrUpdate.exe (PID: 9688)
  - SoftMgr.exe (PID: 10216)
  - SoftMgr.exe (PID: 6280)
  - SoftMgr.exe (PID: 8480)
  - SoftMgr.exe (PID: 8444)
  - SoftMgr.exe (PID: 3040)
  - SoftMgr.exe (PID: 9632)
  - SoftMgr.exe (PID: 6376)
  - SoftMgr.exe (PID: 7980)
  - SoftMgr.exe (PID: 5728)
  - SoftMgr.exe (PID: 9640)
  - SDIS.exe (PID: 9496)
  - SoftMgr.exe (PID: 9220)
  - SoftMgr.exe (PID: 1320)
  - SoftupNotify.exe (PID: 8044)
  - SoftupNotify.exe (PID: 6272)
  - SoftupNotify.exe (PID: 2844)
  - SoftupNotify.exe (PID: 4968)
  - SoftupNotify.exe (PID: 8712)
  - SoftupNotify.exe (PID: 9184)
  - SoftupNotify.exe (PID: 5308)
  - LiveUpdate360.exe (PID: 3980)
  - LiveUpdate360.exe (PID: 9416)
  - LiveUpdate360.exe (PID: 8888)
  - LiveUpdate360.exe (PID: 8300)
  - LiveUpdate360.exe (PID: 4136)
  - SoftupNotify.exe (PID: 876)
  - SoftupNotify.exe (PID: 8048)
  - SoftupNotify.exe (PID: 9152)
  - SoftupNotify.exe (PID: 7980)
  - SoftupNotify.exe (PID: 9656)
- Actions looks like stealing of personal data
  - SoftMgr.exe (PID: 10004)
  - About.exe (PID: 1672)
SUSPICIOUS
- Adds/modifies Windows certificates
  - lsass.exe (PID: 804)
  - SoftMgr.exe (PID: 9404)
- Stops a currently running service
  - sc.exe (PID: 7272)
  - sc.exe (PID: 8156)
  - sc.exe (PID: 7972)
  - sc.exe (PID: 2844)
  - sc.exe (PID: 8876)
- Windows service management via SC.EXE
  - sc.exe (PID: 6152)
  - sc.exe (PID: 8572)
  - sc.exe (PID: 3404)
  - sc.exe (PID: 2480)
  - sc.exe (PID: 8100)
  - sc.exe (PID: 8168)
  - sc.exe (PID: 6584)
  - sc.exe (PID: 9072)
  - sc.exe (PID: 8712)
  - sc.exe (PID: 6720)
  - sc.exe (PID: 1464)
  - sc.exe (PID: 8364)
  - sc.exe (PID: 492)
  - sc.exe (PID: 8860)
  - sc.exe (PID: 9176)
  - sc.exe (PID: 8824)
  - sc.exe (PID: 6240)
  - sc.exe (PID: 8296)
  - sc.exe (PID: 3588)
  - sc.exe (PID: 7508)
- Uses TASKKILL.EXE to kill process
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
- Creates file in the systems drive root
  - explorer.exe (PID: 1368)
  - SoftMgr.exe (PID: 10048)
- Process drops legitimate windows executable
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
  - WindowsSoftMgrSetupv2.exe (PID: 4728)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 4724)
  - regsvr32.exe (PID: 2260)
  - IKernel.exe (PID: 2780)
  - regsvr32.exe (PID: 9476)
  - regsvr32.exe (PID: 6056)
  - regsvr32.exe (PID: 10196)
- Executes as Windows Service
  - winToolBoxSrv.exe (PID: 1884)
  - cClearSvr.exe (PID: 8332)
  - kUpdateSrv2.exe (PID: 9140)
  - pdfReaderSrv.exe (PID: 1000)
  - winInterceptSer.exe (PID: 5548)
  - VSSVC.exe (PID: 2256)
- Searches for installed software
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
  - About.exe (PID: 1672)
  - ZipMaster.exe (PID: 3536)
  - dllhost.exe (PID: 3232)
  - WindowsSoftMgrSetupv2.exe (PID: 4728)
  - IKernel.exe (PID: 2780)
  - SoftMgr.exe (PID: 10004)
  - SDIS.exe (PID: 9496)
  - SoftupNotify.exe (PID: 8044)
  - SoftupNotify.exe (PID: 9152)
  - OfficeAssis.exe (PID: 6020)
  - SoftupNotify.exe (PID: 7980)
- Drops 7-zip archiver for unpacking
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
- The process drops C-runtime libraries
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
- Uses NETSH.EXE to add a firewall rule or allowed programs
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
- Drops a system driver (possible attempt to evade defenses)
  - WinRAR.exe (PID: 3152)
- Sets the service to start on system boot
  - sc.exe (PID: 1320)
  - sc.exe (PID: 8492)
  - sc.exe (PID: 7960)
  - sc.exe (PID: 6108)
  - sc.exe (PID: 3232)
- The process verifies whether the antivirus software is installed
  - About.exe (PID: 1672)
  - duohuipingbao.exe (PID: 1700)
  - duohuipingbao.exe (PID: 148)
  - duohuipingbao.exe (PID: 6364)
  - duohuipingbao.exe (PID: 2424)
  - SoftMgr.exe (PID: 10048)
  - SoftMgr.exe (PID: 10080)
  - SoftMgr.exe (PID: 6280)
  - SoftMgr.exe (PID: 9632)
- Application launched itself
  - duohuipingbao.exe (PID: 1700)
  - duohuipingbao.exe (PID: 148)
  - IKernel.exe (PID: 2780)
  - SoftMgr.exe (PID: 10004)
  - SoftMgr.exe (PID: 6692)
  - SoftMgr.exe (PID: 7548)
  - SoftMgr.exe (PID: 10216)
- Using the short paths format
  - IKernel.exe (PID: 2780)
  - SoftMgr.exe (PID: 10004)
- Changes default file association
  - SoftMgr.exe (PID: 9404)
- The process executes via Task Scheduler
  - SoftMgrUpdate.exe (PID: 8252)
  - SoftMgrUpdate.exe (PID: 7204)
  - SoftMgrUpdate.exe (PID: 1932)
  - SoftMgrUpdate.exe (PID: 9688)
- Reads the BIOS version
  - SoftMgr.exe (PID: 10048)
- Reads the date of Windows installation
  - SoftMgr.exe (PID: 10048)
- The process checks if it is being run in the virtual environment
  - SoftMgr.exe (PID: 10048)
  - SoftMgr.exe (PID: 10004)
- Changes the Home page of Internet Explorer
  - About.exe (PID: 1672)
- Access to an unwanted program domain was detected
  - About.exe (PID: 1672)
  - svchost.exe (PID: 2292)
- Changes the title of the Internet Explorer window
  - About.exe (PID: 1672)
- Executes application which crashes
  - mgtv-client-6.8.9.0-360software.exe (PID: 4072)
INFO
- The sample compiled with chinese language support
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
  - WinRAR.exe (PID: 3152)
  - About.exe (PID: 1672)
  - huabaosetup.exe (PID: 10168)
  - WindowsSoftMgrSetupv2.exe (PID: 4728)
  - SoftMgr.exe (PID: 10004)
  - OfficeV4.8.2.8.exe (PID: 5080)
  - DriveTheLife_62303_10_1_37_96.exe (PID: 6504)
- Reads the machine GUID from the registry
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
  - ZipMaster.exe (PID: 3536)
  - About.exe (PID: 1672)
  - huabaosetup.exe (PID: 10168)
  - duohuipingbao.exe (PID: 6364)
  - huabaosetup.exe (PID: 6084)
  - WindowsSoftMgrSetupv2.exe (PID: 4728)
  - softmgrsvr.exe (PID: 9244)
  - SoftMgrUpdate.exe (PID: 8252)
  - SoftMgr.exe (PID: 10048)
  - SoftMgr.exe (PID: 10080)
  - SoftMgrUpdate.exe (PID: 1932)
  - SoftMgrUpdate.exe (PID: 9688)
  - SoftMgr.exe (PID: 10004)
  - SoftMgr.exe (PID: 6280)
  - SoftMgr.exe (PID: 9632)
  - SDIS.exe (PID: 9496)
  - SoftupNotify.exe (PID: 8044)
  - LiveUpdate360.exe (PID: 3980)
  - SoftupNotify.exe (PID: 9152)
  - OfficeV4.8.2.8.exe (PID: 5080)
  - OfficeAssis.exe (PID: 6020)
  - SoftupNotify.exe (PID: 7980)
  - DriveTheLife_62303_10_1_37_96.exe (PID: 6504)
- Reads the computer name
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
  - cClearSvr.exe (PID: 8332)
  - kUpdateSrv2.exe (PID: 9140)
  - pdfReaderSrv.exe (PID: 1000)
  - winInterceptSer.exe (PID: 5548)
  - winToolBoxSrv.exe (PID: 1884)
  - ZipMaster.exe (PID: 3536)
  - About.exe (PID: 1672)
  - FTDIUNIN.EXE (PID: 5580)
  - FTDIUNIN.EXE (PID: 9020)
  - huabaosetup.exe (PID: 10168)
  - duohuipingbao.exe (PID: 1700)
  - duohuipingbao.exe (PID: 148)
  - duohuipingbao.exe (PID: 6364)
  - duohuipingbao.exe (PID: 2424)
  - huabaosetup.exe (PID: 6084)
  - 98ME_20011_2kXP_20024 Driver Installer.exe (PID: 7368)
  - Setup.exe (PID: 3440)
  - IKernel.exe (PID: 8872)
  - IKernel.exe (PID: 2864)
  - IKernel.exe (PID: 2780)
  - WindowsSoftMgrSetupv2.exe (PID: 4728)
  - SoftMgr.exe (PID: 9404)
  - softmgrsvr.exe (PID: 9244)
  - SoftMgr.exe (PID: 9988)
  - SoftMgrUpdate.exe (PID: 8252)
  - SoftMgr.exe (PID: 10004)
  - SoftMgr.exe (PID: 10048)
  - SoftMgr.exe (PID: 2912)
  - SoftMgrUpdate.exe (PID: 7204)
  - SoftMgr.exe (PID: 6692)
  - SoftMgr.exe (PID: 10080)
  - SoftMgr.exe (PID: 3388)
  - SoftMgrUpdate.exe (PID: 1932)
  - SoftMgr.exe (PID: 7548)
  - SoftMgr.exe (PID: 2432)
  - SoftMgrUpdate.exe (PID: 9688)
  - SoftMgr.exe (PID: 10216)
  - SoftMgr.exe (PID: 6280)
  - SoftMgr.exe (PID: 3040)
  - SoftMgr.exe (PID: 8444)
  - SoftMgr.exe (PID: 9632)
  - SDIS.exe (PID: 9496)
  - SoftMgr.exe (PID: 9220)
  - SoftupNotify.exe (PID: 8044)
  - SoftupNotify.exe (PID: 6272)
  - SoftupNotify.exe (PID: 2844)
  - SoftupNotify.exe (PID: 4968)
  - SoftupNotify.exe (PID: 8712)
  - SoftupNotify.exe (PID: 9184)
  - SoftupNotify.exe (PID: 5308)
  - LiveUpdate360.exe (PID: 3980)
  - SoftupNotify.exe (PID: 876)
  - SoftupNotify.exe (PID: 8048)
  - SoftupNotify.exe (PID: 9152)
  - OfficeV4.8.2.8.exe (PID: 5080)
  - SoftupNotify.exe (PID: 7980)
  - OfficeAssis.exe (PID: 6020)
  - SoftupNotify.exe (PID: 9656)
  - DriveTheLife_62303_10_1_37_96.exe (PID: 6504)
- Checks supported languages
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
  - cClearSvr.exe (PID: 8332)
  - kUpdateSrv2.exe (PID: 9140)
  - pdfReaderSrv.exe (PID: 1000)
  - winInterceptSer.exe (PID: 5548)
  - winToolBoxSrv.exe (PID: 1884)
  - ZipMaster.exe (PID: 3536)
  - About.exe (PID: 1672)
  - FTDIUNIN.EXE (PID: 5580)
  - FTDIUNIN.EXE (PID: 9020)
  - SetCOM.exe (PID: 10136)
  - huabaosetup.exe (PID: 10168)
  - duohuipingbao.exe (PID: 1700)
  - duohuipingbao.exe (PID: 148)
  - duohuipingbao.exe (PID: 6364)
  - duohuipingbao.exe (PID: 2424)
  - huabaosetup.exe (PID: 6084)
  - 98ME_20011_2kXP_20024 Driver Installer.exe (PID: 7368)
  - Setup.exe (PID: 3440)
  - IKernel.exe (PID: 8872)
  - IKernel.exe (PID: 2780)
  - IKernel.exe (PID: 2864)
  - WindowsSoftMgrSetupv2.exe (PID: 4728)
  - softmgrsvr.exe (PID: 9244)
  - SoftMgr.exe (PID: 9404)
  - SoftMgr.exe (PID: 9988)
  - SoftMgrUpdate.exe (PID: 8252)
  - SoftMgr.exe (PID: 10004)
  - SoftMgr.exe (PID: 10048)
  - SoftMgr.exe (PID: 6692)
  - SoftMgr.exe (PID: 10080)
  - SoftMgr.exe (PID: 3388)
  - SoftMgrUpdate.exe (PID: 1932)
  - SoftMgr.exe (PID: 7548)
  - SoftMgr.exe (PID: 2432)
  - SoftMgr.exe (PID: 10216)
  - SoftMgr.exe (PID: 6280)
  - SoftMgrUpdate.exe (PID: 9688)
  - SoftMgr.exe (PID: 8480)
  - SoftMgr.exe (PID: 8444)
  - SoftMgr.exe (PID: 9632)
  - SoftMgr.exe (PID: 3040)
  - SoftMgr.exe (PID: 6376)
  - SoftMgr.exe (PID: 5728)
  - SoftMgr.exe (PID: 7980)
  - SoftMgr.exe (PID: 9640)
  - SoftMgr.exe (PID: 1320)
  - SDIS.exe (PID: 9496)
  - SoftMgr.exe (PID: 9220)
  - SoftupNotify.exe (PID: 8044)
  - SoftupNotify.exe (PID: 6272)
  - SoftupNotify.exe (PID: 2844)
  - SoftupNotify.exe (PID: 4968)
  - SoftupNotify.exe (PID: 8712)
  - SoftupNotify.exe (PID: 9184)
  - SoftupNotify.exe (PID: 5308)
  - LiveUpdate360.exe (PID: 3980)
  - LiveUpdate360.exe (PID: 9416)
  - LiveUpdate360.exe (PID: 8888)
  - LiveUpdate360.exe (PID: 8300)
  - LiveUpdate360.exe (PID: 4136)
  - SoftupNotify.exe (PID: 876)
  - SoftupNotify.exe (PID: 8048)
  - SoftupNotify.exe (PID: 9152)
  - OfficeV4.8.2.8.exe (PID: 5080)
  - OfficeAssis.exe (PID: 6020)
  - SoftupNotify.exe (PID: 7980)
  - mgtv-client-6.8.9.0-360software.exe (PID: 4072)
  - SoftupNotify.exe (PID: 9656)
  - DriveTheLife_62303_10_1_37_96.exe (PID: 6504)
- There is functionality for taking screenshot (YARA)
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
  - About.exe (PID: 1672)
  - SetCOM.exe (PID: 10136)
  - 98ME_20011_2kXP_20024 Driver Installer.exe (PID: 7368)
- Create files in a temporary directory
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
  - About.exe (PID: 1672)
  - huabaosetup.exe (PID: 10168)
  - duohuipingbao.exe (PID: 6364)
  - 98ME_20011_2kXP_20024 Driver Installer.exe (PID: 7368)
  - Setup.exe (PID: 3440)
  - IKernel.exe (PID: 2780)
  - SoftMgr.exe (PID: 10048)
  - SoftMgr.exe (PID: 10004)
  - DriveTheLife_62303_10_1_37_96.exe (PID: 6504)
- Reads security settings of Internet Explorer
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
  - explorer.exe (PID: 1368)
  - About.exe (PID: 1672)
  - huabaosetup.exe (PID: 10168)
  - duohuipingbao.exe (PID: 6364)
  - huabaosetup.exe (PID: 6084)
  - IKernel.exe (PID: 8872)
  - IKernel.exe (PID: 2864)
  - IKernel.exe (PID: 2780)
  - WindowsSoftMgrSetupv2.exe (PID: 4728)
  - SoftMgr.exe (PID: 9404)
  - SoftMgrUpdate.exe (PID: 8252)
  - SoftMgr.exe (PID: 10048)
  - SoftMgrUpdate.exe (PID: 1932)
  - SoftMgrUpdate.exe (PID: 9688)
  - SoftMgr.exe (PID: 10004)
  - SDIS.exe (PID: 9496)
  - softmgrsvr.exe (PID: 9244)
  - SoftupNotify.exe (PID: 8048)
  - DriveTheLife_62303_10_1_37_96.exe (PID: 6504)
- The sample compiled with english language support
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
  - WinRAR.exe (PID: 3152)
  - huabaosetup.exe (PID: 10168)
  - About.exe (PID: 1672)
  - Setup.exe (PID: 3440)
  - 98ME_20011_2kXP_20024 Driver Installer.exe (PID: 7368)
  - IKernel.exe (PID: 2780)
  - WindowsSoftMgrSetupv2.exe (PID: 4728)
- Creates files or folders in the user directory
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
  - ZipMaster.exe (PID: 3536)
  - lsass.exe (PID: 804)
  - About.exe (PID: 1672)
  - huabaosetup.exe (PID: 10168)
  - duohuipingbao.exe (PID: 6364)
  - huabaosetup.exe (PID: 6084)
  - softmgrsvr.exe (PID: 9244)
  - WindowsSoftMgrSetupv2.exe (PID: 4728)
  - SoftMgr.exe (PID: 10004)
  - SoftMgr.exe (PID: 10048)
  - SoftMgr.exe (PID: 10080)
  - SoftMgr.exe (PID: 3040)
  - SoftMgr.exe (PID: 8444)
  - SoftupNotify.exe (PID: 8044)
  - LiveUpdate360.exe (PID: 3980)
  - SDIS.exe (PID: 9496)
  - OfficeV4.8.2.8.exe (PID: 5080)
  - OfficeAssis.exe (PID: 6020)
  - WerFault.exe (PID: 1768)
  - DriveTheLife_62303_10_1_37_96.exe (PID: 6504)
- Drops script file
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
  - firefox.exe (PID: 7828)
  - huabaosetup.exe (PID: 10168)
  - 98ME_20011_2kXP_20024 Driver Installer.exe (PID: 7368)
  - WindowsSoftMgrSetupv2.exe (PID: 4728)
  - About.exe (PID: 1672)
- Reads Microsoft Office registry keys
  - explorer.exe (PID: 1368)
- Process checks computer location settings
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
  - huabaosetup.exe (PID: 10168)
  - duohuipingbao.exe (PID: 6364)
  - WindowsSoftMgrSetupv2.exe (PID: 4728)
  - SoftMgr.exe (PID: 9404)
  - SoftMgr.exe (PID: 3040)
  - SoftMgr.exe (PID: 10004)
  - SoftMgr.exe (PID: 6376)
  - SoftMgr.exe (PID: 7980)
  - SoftMgr.exe (PID: 5728)
  - SoftMgr.exe (PID: 9640)
  - SoftMgr.exe (PID: 1320)
  - SDIS.exe (PID: 9496)
  - softmgrsvr.exe (PID: 9244)
  - SoftupNotify.exe (PID: 8048)
- Creates a software uninstall entry
  - usb转串口万能驱动合集_102_636788.exe (PID: 5872)
  - WindowsSoftMgrSetupv2.exe (PID: 4728)
  - IKernel.exe (PID: 2780)
  - About.exe (PID: 1672)
  - OfficeV4.8.2.8.exe (PID: 5080)
  - OfficeAssis.exe (PID: 6020)
- Checks proxy server information
  - About.exe (PID: 1672)
  - huabaosetup.exe (PID: 10168)
  - duohuipingbao.exe (PID: 1700)
  - duohuipingbao.exe (PID: 148)
  - duohuipingbao.exe (PID: 6364)
  - duohuipingbao.exe (PID: 2424)
  - huabaosetup.exe (PID: 6084)
  - IKernel.exe (PID: 8872)
  - IKernel.exe (PID: 2864)
  - slui.exe (PID: 4876)
  - IKernel.exe (PID: 2780)
  - WindowsSoftMgrSetupv2.exe (PID: 4728)
  - softmgrsvr.exe (PID: 9244)
  - SoftMgr.exe (PID: 10048)
  - SoftMgr.exe (PID: 10004)
  - SDIS.exe (PID: 9496)
  - SoftupNotify.exe (PID: 8044)
  - SoftupNotify.exe (PID: 8048)
  - SoftupNotify.exe (PID: 9152)
  - SoftupNotify.exe (PID: 7980)
  - DriveTheLife_62303_10_1_37_96.exe (PID: 6504)
  - WerFault.exe (PID: 1768)
- Compiled with Borland Delphi (YARA)
  - About.exe (PID: 1672)
- Application launched itself
  - firefox.exe (PID: 2752)
  - firefox.exe (PID: 7828)
- Manual execution by a user
  - firefox.exe (PID: 2752)
  - SoftMgr.exe (PID: 9988)
  - SoftMgr.exe (PID: 2912)
  - SoftMgr.exe (PID: 3388)
  - SoftMgr.exe (PID: 2432)
- Launching a file from a Registry key
  - huabaosetup.exe (PID: 10168)
- Creates files in the program directory
  - Setup.exe (PID: 3440)
  - IKernel.exe (PID: 2780)
  - WindowsSoftMgrSetupv2.exe (PID: 4728)
  - softmgrsvr.exe (PID: 9244)
  - SoftMgr.exe (PID: 10048)
  - SoftMgr.exe (PID: 10004)
  - SDIS.exe (PID: 9496)
  - SoftupNotify.exe (PID: 8044)
  - LiveUpdate360.exe (PID: 3980)
  - SoftupNotify.exe (PID: 8048)
  - SoftupNotify.exe (PID: 9152)
  - SoftupNotify.exe (PID: 7980)
- Reads CPU info
  - duohuipingbao.exe (PID: 6364)
  - SoftMgr.exe (PID: 10004)
- Disables trace logs
  - SoftMgr.exe (PID: 9404)
  - softmgrsvr.exe (PID: 9244)
  - SoftMgr.exe (PID: 10004)
  - SoftMgr.exe (PID: 6692)
  - SoftMgr.exe (PID: 7548)
  - SoftMgr.exe (PID: 10216)
  - SDIS.exe (PID: 9496)
  - SoftupNotify.exe (PID: 8044)
  - SoftupNotify.exe (PID: 6272)
  - SoftupNotify.exe (PID: 2844)
  - SoftupNotify.exe (PID: 4968)
  - SoftupNotify.exe (PID: 8712)
  - SoftupNotify.exe (PID: 9184)
  - SoftupNotify.exe (PID: 5308)
  - LiveUpdate360.exe (PID: 3980)
  - SoftupNotify.exe (PID: 876)
  - SoftupNotify.exe (PID: 8048)
  - SoftupNotify.exe (PID: 9152)
  - SoftupNotify.exe (PID: 7980)
  - SoftupNotify.exe (PID: 9656)
- Manages system restore points
  - SrTasks.exe (PID: 4540)
- Reads product name
  - SoftMgr.exe (PID: 10048)
- Reads Environment values
  - SoftMgr.exe (PID: 10048)
  - DriveTheLife_62303_10_1_37_96.exe (PID: 6504)
- Reads Windows Product ID
  - SoftMgr.exe (PID: 10048)
- TeamViewer related mutex has been found
  - SoftMgr.exe (PID: 10048)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2026:01:21 09:30:47+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.16
CodeSize:	3331584
InitializedDataSize:	1918976
UninitializedDataSize:	-
EntryPoint:	0x1993f3
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.338
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Unicode
CompanyName:	-
FileDescription:
FileVersion:	1.0.0.338
LegalCopyright:	Copyright (C) 2022
ProductVersion:	0.0.0.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

385

Monitored processes

219

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

148

C:\Users\admin\AppData\Local\dhpingbao\duohuipingbao\duohuipingbao.exe /hb

C:\Users\admin\AppData\Local\dhpingbao\duohuipingbao\duohuipingbao.exe

About.exe

User:

admin

Integrity Level:

HIGH

Description:

多绘屏保

Exit code:

Version:

1.0.234.0

Modules

Images
c:\users\admin\appdata\local\dhpingbao\duohuipingbao\duohuipingbao.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

468

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

taskkill.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

492

sc CREATE KaoZipUpdateSrv type= own start= auto DisplayName= "Zip Update Event Notification Service" binPath= "C:\Users\admin\AppData\Local\winToolBox\Tools\zip\kUpdateSrv2.exe"

C:\Windows\SysWOW64\sc.exe

—

usb转串口万能驱动合集_102_636788.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

804

C:\WINDOWS\system32\lsass.exe

C:\Windows\System32\lsass.exe

wininit.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Local Security Authority Process

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\lsass.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\lsasrv.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sechost.dll

876

"C:\Program Files (x86)\SoftMgrbcff1feb\SoftMgr\SoftupNotify.exe" -CloudPromote /SoftId=2000004722 /cloudtype=download

C:\Program Files (x86)\SoftMgrbcff1feb\SoftMgr\SoftupNotify.exe

SDIS.exe

User:

admin

Company:

360.cn

Integrity Level:

HIGH

Description:

360软件管家

Exit code:

Version:

16, 0, 0, 1075

Modules

Images
c:\program files (x86)\softmgrbcff1feb\softmgr\softupnotify.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

1000

C:\Users\admin\AppData\Local\winToolBox\Tools\pdf\pdfReaderSrv.exe

—

services.exe

User:

SYSTEM

Integrity Level:

SYSTEM

Modules

Images
c:\users\admin\appdata\local\wintoolbox\tools\pdf\pdfreadersrv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1320

sc config WinToolBoxUpdateSrv start= auto

C:\Windows\SysWOW64\sc.exe

—

About.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\rpcrt4.dll

1320

"C:\Program Files (x86)\SoftMgrbcff1feb\SoftMgr\SoftMgr.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\SoftMgrbcff1feb\Cache\Web\\" --no-appcompat-clear --main-ver=15.2.6224.0 --mainprocess-ver=15.2.6224.0 --no-sandbox --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4876 --field-trial-handle=2020,i,10062206666840376075,13803178506227306100,262144 --disable-features=HardwareMediaKeyHandling --variations-seed-version /prefetch:1

C:\Program Files (x86)\SoftMgrbcff1feb\SoftMgr\SoftMgr.exe

SoftMgr.exe

User:

admin

Company:

Windows SoftMgr

Integrity Level:

HIGH

Description:

Windows软件管家

Version:

15, 0, 0, 1382

Modules

Images
c:\program files (x86)\softmgrbcff1feb\softmgr\softmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

1368

C:\WINDOWS\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\explorer.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Explorer

Exit code:

Version:

10.0.19041.3758 (WinBuild.160101.0800)

Modules

Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll

1464

sc description WinInterceptUpdateSrv "为软件提供基础更新服务"

C:\Windows\SysWOW64\sc.exe

—

usb转串口万能驱动合集_102_636788.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

196 493

Read events

194 959

Write events

1 467

Delete events

Modification events


(PID) Process:	(804) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:	write	Name:	SecureTimeHigh
Value: 20CD26CFEB70DC01
(PID) Process:	(804) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:	write	Name:	SecureTimeEstimated
Value: 2065626DE370DC01
(PID) Process:	(804) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits
Operation:	write	Name:	SecureTimeLow
Value: 20FD9D0BDB70DC01
(PID) Process:	(804) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime
Operation:	write	Name:	SecureTimeTickCount
Value: C1521E0000000000
(PID) Process:	(804) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\SecureTimeLimits\RunTime
Operation:	write	Name:	SecureTimeConfidence
Value: 8
(PID) Process:	(804) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:	delete value	Name:	2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Value:
(PID) Process:	(804) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Operation:	write	Name:	Blob
Value: 0400000001000000100000001BFE69D191B71933A372A80FE155E5B51D0000000100000010000000885010358D29A38F059B028559C95F90620000000100000020000000E793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD2090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F000000010000003000000066B764A96581128168CF208E374DDA479D54E311F32457F4AEE0DBD2A6C8D171D531289E1CD22BFDBBD4CFD9796254830300000001000000140000002B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E190000000100000010000000EA6089055218053DD01E37E1D806EEDF53000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C01400000001000000140000005379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB0B00000001000000100000005300650063007400690067006F0000002000000001000000E2050000308205DE308203C6A003020102021001FD6D30FCA3CA51A81BBC640E35032D300D06092A864886F70D01010C0500308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F72697479301E170D3130303230313030303030305A170D3338303131383233353935395A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F7269747930820222300D06092A864886F70D01010105000382020F003082020A028202010080126517360EC3DB08B3D0AC570D76EDCD27D34CAD508361E2AA204D092D6409DCCE899FCC3DA9ECF6CFC1DCF1D3B1D67B3728112B47DA39C6BC3A19B45FA6BD7D9DA36342B676F2A93B2B91F8E26FD0EC162090093EE2E874C918B491D46264DB7FA306F188186A90223CBCFE13F087147BF6E41F8ED4E451C61167460851CB8614543FBC33FE7E6C9CFF169D18BD518E35A6A766C87267DB2166B1D49B7803C0503AE8CCF0DCBC9E4CFEAF0596351F575AB7FFCEF93DB72CB6F654DDC8E7123A4DAE4C8AB75C9AB4B7203DCA7F2234AE7E3B68660144E7014E46539B3360F794BE5337907343F332C353EFDBAAFE744E69C76B8C6093DEC4C70CDFE132AECC933B517895678BEE3D56FE0CD0690F1B0FF325266B336DF76E47FA7343E57E0EA566B1297C3284635589C40DC19354301913ACD37D37A7EB5D3A6C355CDB41D712DAA9490BDFD8808A0993628EB566CF2588CD84B8B13FA4390FD9029EEB124C957CF36B05A95E1683CCB867E2E8139DCC5B82D34CB3ED5BFFDEE573AC233B2D00BF3555740949D849581A7F9236E651920EF3267D1C4D17BCC9EC4326D0BF415F40A94444F499E757879E501F5754A83EFD74632FB1506509E658422E431A4CB4F0254759FA041E93D426464A5081B2DEBE78B7FC6715E1C957841E0F63D6E962BAD65F552EEA5CC62808042539B80E2BA9F24C971C073F0D52F5EDEF2F820F0203010001A3423040301D0603551D0E041604145379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF300D06092A864886F70D01010C050003820201005CD47C0DCFF7017D4199650C73C5529FCBF8CF99067F1BDA43159F9E0255579614F1523C27879428ED1F3A0137A276FC5350C0849BC66B4EBA8C214FA28E556291F36915D8BC88E3C4AA0BFDEFA8E94B552A06206D55782919EE5F305C4B241155FF249A6E5E2A2BEE0B4D9F7FF70138941495430709FB60A9EE1CAB128CA09A5EA7986A596D8B3F08FBC8D145AF18156490120F73282EC5E2244EFC58ECF0F445FE22B3EB2F8ED2D9456105C1976FA876728F8B8C36AFBF0D05CE718DE6A66F1F6CA67162C5D8D083720CF16711890C9C134C7234DFBCD571DFAA71DDE1B96C8C3C125D65DABD5712B6436BFFE5DE4D661151CF99AEEC17B6E871918CDE49FEDD3571A21527941CCF61E326BB6FA36725215DE6DD1D0B2E681B3B82AFEC836785D4985174B1B9998089FF7F78195C794A602E9240AE4C372A2CC9C762C80E5DF7365BCAE0252501B4DD1A079C77003FD0DCD5EC3DD4FABB3FCC85D66F7FA92DDFB902F7F5979AB535DAC367B0874AA9289E238EFF5C276BE1B04FF307EE002ED45987CB524195EAF447D7EE6441557C8D590295DD629DC2B9EE5A287484A59BB790C70C07DFF589367432D628C1B0B00BE09C4CC31CD6FCE369B54746812FA282ABD3634470C48DFF2D33BAAD8F7BB57088AE3E19CF4028D8FCC890BB5D9922F552E658C51F883143EE881DD7C68E3C436A1DA718DE7D3D16F162F9CA90A8FD
(PID) Process:	(804) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E
Operation:	write	Name:	Blob
Value: 5C0000000100000004000000001000000B00000001000000100000005300650063007400690067006F0000001400000001000000140000005379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB53000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C0190000000100000010000000EA6089055218053DD01E37E1D806EEDF0300000001000000140000002B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E0F000000010000003000000066B764A96581128168CF208E374DDA479D54E311F32457F4AEE0DBD2A6C8D171D531289E1CD22BFDBBD4CFD979625483090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B06010505070308620000000100000020000000E793C9B02FD8AA13E21C31228ACCB08119643B749C898964B1746D46C3D4CBD21D0000000100000010000000885010358D29A38F059B028559C95F900400000001000000100000001BFE69D191B71933A372A80FE155E5B52000000001000000E2050000308205DE308203C6A003020102021001FD6D30FCA3CA51A81BBC640E35032D300D06092A864886F70D01010C0500308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F72697479301E170D3130303230313030303030305A170D3338303131383233353935395A308188310B3009060355040613025553311330110603550408130A4E6577204A6572736579311430120603550407130B4A65727365792043697479311E301C060355040A131554686520555345525452555354204E6574776F726B312E302C06035504031325555345525472757374205253412043657274696669636174696F6E20417574686F7269747930820222300D06092A864886F70D01010105000382020F003082020A028202010080126517360EC3DB08B3D0AC570D76EDCD27D34CAD508361E2AA204D092D6409DCCE899FCC3DA9ECF6CFC1DCF1D3B1D67B3728112B47DA39C6BC3A19B45FA6BD7D9DA36342B676F2A93B2B91F8E26FD0EC162090093EE2E874C918B491D46264DB7FA306F188186A90223CBCFE13F087147BF6E41F8ED4E451C61167460851CB8614543FBC33FE7E6C9CFF169D18BD518E35A6A766C87267DB2166B1D49B7803C0503AE8CCF0DCBC9E4CFEAF0596351F575AB7FFCEF93DB72CB6F654DDC8E7123A4DAE4C8AB75C9AB4B7203DCA7F2234AE7E3B68660144E7014E46539B3360F794BE5337907343F332C353EFDBAAFE744E69C76B8C6093DEC4C70CDFE132AECC933B517895678BEE3D56FE0CD0690F1B0FF325266B336DF76E47FA7343E57E0EA566B1297C3284635589C40DC19354301913ACD37D37A7EB5D3A6C355CDB41D712DAA9490BDFD8808A0993628EB566CF2588CD84B8B13FA4390FD9029EEB124C957CF36B05A95E1683CCB867E2E8139DCC5B82D34CB3ED5BFFDEE573AC233B2D00BF3555740949D849581A7F9236E651920EF3267D1C4D17BCC9EC4326D0BF415F40A94444F499E757879E501F5754A83EFD74632FB1506509E658422E431A4CB4F0254759FA041E93D426464A5081B2DEBE78B7FC6715E1C957841E0F63D6E962BAD65F552EEA5CC62808042539B80E2BA9F24C971C073F0D52F5EDEF2F820F0203010001A3423040301D0603551D0E041604145379BF5AAA2B4ACF5480E1D89BC09DF2B20366CB300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF300D06092A864886F70D01010C050003820201005CD47C0DCFF7017D4199650C73C5529FCBF8CF99067F1BDA43159F9E0255579614F1523C27879428ED1F3A0137A276FC5350C0849BC66B4EBA8C214FA28E556291F36915D8BC88E3C4AA0BFDEFA8E94B552A06206D55782919EE5F305C4B241155FF249A6E5E2A2BEE0B4D9F7FF70138941495430709FB60A9EE1CAB128CA09A5EA7986A596D8B3F08FBC8D145AF18156490120F73282EC5E2244EFC58ECF0F445FE22B3EB2F8ED2D9456105C1976FA876728F8B8C36AFBF0D05CE718DE6A66F1F6CA67162C5D8D083720CF16711890C9C134C7234DFBCD571DFAA71DDE1B96C8C3C125D65DABD5712B6436BFFE5DE4D661151CF99AEEC17B6E871918CDE49FEDD3571A21527941CCF61E326BB6FA36725215DE6DD1D0B2E681B3B82AFEC836785D4985174B1B9998089FF7F78195C794A602E9240AE4C372A2CC9C762C80E5DF7365BCAE0252501B4DD1A079C77003FD0DCD5EC3DD4FABB3FCC85D66F7FA92DDFB902F7F5979AB535DAC367B0874AA9289E238EFF5C276BE1B04FF307EE002ED45987CB524195EAF447D7EE6441557C8D590295DD629DC2B9EE5A287484A59BB790C70C07DFF589367432D628C1B0B00BE09C4CC31CD6FCE369B54746812FA282ABD3634470C48DFF2D33BAAD8F7BB57088AE3E19CF4028D8FCC890BB5D9922F552E658C51F883143EE881DD7C68E3C436A1DA718DE7D3D16F162F9CA90A8FD
(PID) Process:	(804) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:	delete value	Name:	D1EB23A46D17D68FD92564C2F1F1601764D8E349
Value:
(PID) Process:	(804) lsass.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349
Operation:	write	Name:	Blob
Value: 040000000100000010000000497904B0EB8719AC47B0BC11519B74D0140000000100000014000000A0110A233E96F107ECE2AF29EF82A57FD030A4B4620000000100000020000000D7A7A0FB5D7E2731D771E9484EBCDEF71D5F0C3E0A2948782BC83EE0EA699EF4090000000100000054000000305206082B0601050507030206082B06010505070303060A2B0601040182370A030406082B0601050507030406082B0601050507030606082B0601050507030706082B0601050507030106082B060105050703080F00000001000000140000003E8E6487F8FD27D322A269A71EDAAC5D57811286030000000100000014000000D1EB23A46D17D68FD92564C2F1F1601764D8E3491900000001000000100000002AA1C05E2AE606F198C2C5E937C97AA253000000010000004300000030413022060C2B06010401B231010201050130123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C00B000000010000001C0000005300650063007400690067006F0020002800410041004100290000001D00000001000000100000002E0D6875874A44C820912E85E964CFDB200000000100000036040000308204323082031AA003020102020101300D06092A864886F70D0101050500307B310B3009060355040613024742311B301906035504080C1247726561746572204D616E636865737465723110300E06035504070C0753616C666F7264311A3018060355040A0C11436F6D6F646F204341204C696D697465643121301F06035504030C18414141204365727469666963617465205365727669636573301E170D3034303130313030303030305A170D3238313233313233353935395A307B310B3009060355040613024742311B301906035504080C1247726561746572204D616E636865737465723110300E06035504070C0753616C666F7264311A3018060355040A0C11436F6D6F646F204341204C696D697465643121301F06035504030C1841414120436572746966696361746520536572766963657330820122300D06092A864886F70D01010105000382010F003082010A0282010100BE409DF46EE1EA76871C4D45448EBE46C883069DC12AFE181F8EE402FAF3AB5D508A16310B9A06D0C57022CD492D5463CCB66E68460B53EACB4C24C0BC724EEAF115AEF4549A120AC37AB23360E2DA8955F32258F3DEDCCFEF8386A28C944F9F68F29890468427C776BFE3CC352C8B5E07646582C048B0A891F9619F762050A891C766B5EB78620356F08A1A13EA31A31EA099FD38F6F62732586F07F56BB8FB142BAFB7AACCD6635F738CDA0599A838A8CB17783651ACE99EF4783A8DCF0FD942E2980CAB2F9F0E01DEEF9F9949F12DDFAC744D1B98B547C5E529D1F99018C7629CBE83C7267B3E8A25C7C0DD9DE6356810209D8FD8DED2C3849C0D5EE82FC90203010001A381C03081BD301D0603551D0E04160414A0110A233E96F107ECE2AF29EF82A57FD030A4B4300E0603551D0F0101FF040403020106300F0603551D130101FF040530030101FF307B0603551D1F047430723038A036A0348632687474703A2F2F63726C2E636F6D6F646F63612E636F6D2F414141436572746966696361746553657276696365732E63726C3036A034A0328630687474703A2F2F63726C2E636F6D6F646F2E6E65742F414141436572746966696361746553657276696365732E63726C300D06092A864886F70D010105050003820101000856FC02F09BE8FFA4FAD67BC64480CE4FC4C5F60058CCA6B6BC1449680476E8E6EE5DEC020F60D68D50184F264E01E3E6B0A5EEBFBC745441BFFDFC12B8C74F5AF48960057F60B7054AF3F6F1C2BFC4B97486B62D7D6BCCD2F346DD2FC6E06AC3C334032C7D96DD5AC20EA70A99C1058BAB0C2FF35C3ACF6C37550987DE53406C58EFFCB6AB656E04F61BDC3CE05A15C69ED9F15948302165036CECE92173EC9B03A1E037ADA015188FFABA02CEA72CA910132CD4E50826AB229760F8905E74D4A29A53BDF2A968E0A26EC2D76CB1A30F9EBFEB68E756F2AEF2E32B383A0981B56B85D7BE2DED3F1AB7B263E2F5622C82D46A004150F139839F95E93696986E

Add for printing

Executable files

605

Suspicious files

570

Text files

244

Unknown types

Dropped files

PID	Process	Filename		Type
5872	usb转串口万能驱动合集_102_636788.exe	C:\Users\admin\AppData\Local\winToolBox\computer-nonet\css\index.css		text
		MD5:5EA974A5AFCC5EFCE319BF3B387D1E93	SHA256:E6516EF3C716B01BBC530E911FEF0AC469FA3D37F098FCFE6965F8A65D0C753A
5872	usb转串口万能驱动合集_102_636788.exe	C:\Users\admin\Desktop\123.7007643.fl.tmp		compressed
		MD5:2BC91209937FE1CDC677E062DB5B47BD	SHA256:3E42BB23AF40063A6184F284757A0CA953469033538691397490A6A120FE34DE
5872	usb转串口万能驱动合集_102_636788.exe	C:\Users\admin\AppData\Local\winToolBox\computer-nonet\css\index.scss		text
		MD5:29E23EF86106B697CF16D5BD88DDB145	SHA256:21CCB46BDC07EE636D797C11DCB42BE828D72307A4B6551A94FBDCEB6714E5C5
5872	usb转串口万能驱动合集_102_636788.exe	C:\Users\admin\Desktop\usb15033.zip		compressed
		MD5:450FEF25BA546A5469165C39A37BCDB5	SHA256:5119D16ECFB80527A7EAE8BA7155DA5854744A642A52E983C2CE4844B6B9F3EC
5872	usb转串口万能驱动合集_102_636788.exe	C:\Users\admin\AppData\Local\winToolBox\Tools\LockScreen\video_full\img\sound-off.png		image
		MD5:46219F39D9681C592C3BED1DDF722409	SHA256:FA58FA9BAF5D858A1EA569A0F134EF7F8EF90CF49D13FFBA51AD324CB05E36E2
5872	usb转串口万能驱动合集_102_636788.exe	C:\Users\admin\AppData\Local\Temp\iosfhMrBBFF0pKgO\target.png		image
		MD5:07E1E34119C7937443560A4DB4F0E4FF	SHA256:3207EB18DB1F1DE6E3649DE5819FC0B504181AC6939171E59CBF5022D6A39CB3
5872	usb转串口万能驱动合集_102_636788.exe	C:\Users\admin\AppData\Local\winToolBox\computer-nonet\css\reset.css		csv
		MD5:4593F56181D98BF62E58E64383B20DED	SHA256:8F16B478B5A247F70351BAD25CD1FAC49F979F38A447AE0384D2DA83944677E2
5872	usb转串口万能驱动合集_102_636788.exe	C:\Users\admin\AppData\Local\winToolBox\computer-nonet\imgs\nonet.png		image
		MD5:478F594AE8B0C03F058A4E381C7974C6	SHA256:51DC7C17FE88421483C2B4CFBD38CA54D7C2DBC8F7577D41D4586E3EE78DED4E
5872	usb转串口万能驱动合集_102_636788.exe	C:\Users\admin\AppData\Local\winToolBox\computer-nonet\index.html		html
		MD5:5DD5D34DA11CE54B0DFCAA9C61E2FBE0	SHA256:919B6153F338B6CD826094D66639C0EFDF9CFA661812333351A724D36C153A73
5872	usb转串口万能驱动合集_102_636788.exe	C:\Users\admin\AppData\Local\winToolBox\Tools\LockScreen\video_full\css\blur.svg		image
		MD5:64CED15A08A0B937E8AFBD10B3261C91	SHA256:C0B23516B64045D7CB9FFB27E858423F48521AF56D903E41BC69D835A67BB254

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

333

TCP/UDP connections

592

DNS requests

258

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5872	usb转串口万能驱动合集_102_636788.exe	HEAD	302	43.159.104.132:443	https://www.onlinedown.net/iopdfbhjl/636788?module=download&t=website&v=20260203172849	SG	—	—	unknown
5872	usb转串口万能驱动合集_102_636788.exe	HEAD	200	218.12.76.152:443	https://download.ihsdus.cn/down/2024down/8/13/usb15033.zip?timestamp=6981bfd9&auth_key=5517594e52f64b60dfb934423c1afba0	CN	—	—	unknown
5872	usb转串口万能驱动合集_102_636788.exe	HEAD	200	218.12.76.152:443	https://download.ihsdus.cn/down/2024down/8/13/usb15033.zip?timestamp=6981bfd9&auth_key=5517594e52f64b60dfb934423c1afba0	CN	—	—	unknown
5872	usb转串口万能驱动合集_102_636788.exe	HEAD	200	218.12.76.152:443	https://download.ihsdus.cn/down/2024down/8/13/usb15033.zip?timestamp=6981bfd9&auth_key=5517594e52f64b60dfb934423c1afba0	CN	—	—	unknown
5872	usb转串口万能驱动合集_102_636788.exe	GET	200	43.159.104.132:443	https://www.onlinedown.net/api/ryapi?webid=2&softid=636788&token=0d5bb2d16338e03cf41d9044422aafe7	SG	text	1.22 Kb	unknown
—	—	GET	200	162.159.142.9:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	US	binary	312 b	whitelisted
5872	usb转串口万能驱动合集_102_636788.exe	POST	200	112.126.77.202:80	http://apiinfo.lfuerts.cn/v1/client/logid	CN	text	513 b	unknown
5872	usb转串口万能驱动合集_102_636788.exe	POST	200	60.205.148.178:80	http://api.nasyeo.com/api/info	CN	text	524 b	unknown
5872	usb转串口万能驱动合集_102_636788.exe	POST	200	112.126.77.202:80	http://apiinfo.lfuerts.cn/v1/client/softmgr/info	CN	text	277 b	unknown
5872	usb转串口万能驱动合集_102_636788.exe	GET	200	112.126.77.202:80	http://apiinfo.lfuerts.cn/log/client/site_soft?action=open&user=12bc13d4d429580c4394a5bfc3aa06a3&channel=102&ver=1.0.0.338&sys=10.0&sdsoft=0&softid=636788&filename=usbh=,d82e#d8h=i)1e (ei_102_636788.exe&checks=1&err=0	CN	text	2 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	Not routed	—	whitelisted
9088	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
1324	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6768	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
5568	SearchApp.exe	92.123.104.44:443	www.bing.com	AKAMAI-ASN1	NL	whitelisted
—	—	162.159.142.9:80	ocsp.digicert.com	CLOUDFLARENET	US	whitelisted
3412	svchost.exe	172.211.123.250:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4	System	192.168.100.255:138	—	Not routed	—	whitelisted
5872	usb转串口万能驱动合集_102_636788.exe	112.126.77.202:80	apiinfo.lfuerts.cn	ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.,Ltd.	CN	whitelisted
5872	usb转串口万能驱动合集_102_636788.exe	60.205.148.178:80	api.nasyeo.com	ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.,Ltd.	CN	unknown

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2	whitelisted
self.events.data.microsoft.com	51.132.193.105 52.182.143.211	whitelisted
google.com	142.250.201.78	whitelisted
www.bing.com	92.123.104.44 92.123.104.38 92.123.104.41 92.123.104.36 92.123.104.45 92.123.104.37 92.123.104.40 92.123.104.42 92.123.104.35	whitelisted
ocsp.digicert.com	162.159.142.9 172.66.2.5 2.17.190.73	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.248	whitelisted
apiinfo.lfuerts.cn	112.126.77.202	unknown
api.nasyeo.com	60.205.148.178	unknown
www.onlinedown.net	43.159.104.132	whitelisted
static.flmgr.net	123.12.235.57 222.138.7.59 123.6.25.125 123.12.235.56 36.249.95.109 61.54.94.102 123.6.175.15 61.161.1.110 61.156.82.185 123.6.175.16 119.167.147.74 123.12.235.104	unknown

Threats

PID	Process	Class	Message
5872	usb转串口万能驱动合集_102_636788.exe	Misc activity	ET INFO Observed ZeroSSL SSL/TLS Certificate
5872	usb转串口万能驱动合集_102_636788.exe	Misc activity	ET INFO Observed ZeroSSL SSL/TLS Certificate
5872	usb转串口万能驱动合集_102_636788.exe	Misc activity	ET INFO Observed ZeroSSL SSL/TLS Certificate
5872	usb转串口万能驱动合集_102_636788.exe	Misc activity	ET INFO Observed ZeroSSL SSL/TLS Certificate
5872	usb转串口万能驱动合集_102_636788.exe	Potentially Bad Traffic	ET INFO PE EXE or DLL Windows file download HTTP
3980	LiveUpdate360.exe	Potentially Bad Traffic	ET INFO PE EXE or DLL Windows file download HTTP
3980	LiveUpdate360.exe	Potentially Bad Traffic	ET INFO PE EXE or DLL Windows file download HTTP
3980	LiveUpdate360.exe	Potentially Bad Traffic	ET INFO PE EXE or DLL Windows file download HTTP
3980	LiveUpdate360.exe	Potentially Bad Traffic	ET INFO PE EXE or DLL Windows file download HTTP
3980	LiveUpdate360.exe	Potentially Bad Traffic	ET INFO PE EXE or DLL Windows file download HTTP

Add for printing

Process	Message
ZipMaster.exe	the new adapter is same to previous set adapter, same as notifyDatasetChanged SOUI::SMCListView::SetAdapter f:\workpath\newsoui3\soui3\soui\src\control\smclistview.cpp:83
ZipMaster.exe	SMessageLoop::Run - exiting,code = 1 SOUI::SMessageLoop::Run f:\workpath\newsoui3\soui3\soui\src\core\smsgloop.cpp:84
About.exe	Win???About,????.
About.exe	????WebSocket???...
About.exe	?????????
About.exe	????,??:11703
About.exe	????,??:15920
About.exe	????,??:27551
About.exe	??????
About.exe	????????: ????:1 ????:1 ??????:1 ????:3 ????:duohuipingbao ????:sm3024227

General Info

usb转串口万能驱动合集_102_636788.exe

3CAFC6916F3B9414B5A0D4DF8812CB06

0BC86F3BF7E158047A15078704288107C9B07603

E9879094BC434B5BA7922A85DFE6D20DDFF9EBC61007770367E395B46A965CA0

98304:DebFT2lnDdE7wFc0dGBfRlkW4pDHNEsNZxXUyRPkYTXaI2ELqWOjuxbzD4Dv1k6Q:8qkC

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes settings of System certificates

Registers / Runs the DLL via REGSVR32.EXE

Proxy execution via Explorer

Changes the autorun value in the registry

QIHOO360 mutex has been found

Actions looks like stealing of personal data

SUSPICIOUS

Adds/modifies Windows certificates

Stops a currently running service

Windows service management via SC.EXE

Uses TASKKILL.EXE to kill process

Creates file in the systems drive root

Process drops legitimate windows executable

Creates/Modifies COM task schedule object

Executes as Windows Service

Searches for installed software

Drops 7-zip archiver for unpacking

The process drops C-runtime libraries

Uses NETSH.EXE to add a firewall rule or allowed programs

Drops a system driver (possible attempt to evade defenses)

Sets the service to start on system boot

The process verifies whether the antivirus software is installed

Application launched itself

Using the short paths format

Changes default file association

The process executes via Task Scheduler

Reads the BIOS version

Reads the date of Windows installation

The process checks if it is being run in the virtual environment

Changes the Home page of Internet Explorer

Access to an unwanted program domain was detected

Changes the title of the Internet Explorer window

Executes application which crashes

INFO

The sample compiled with chinese language support

Reads the machine GUID from the registry

Reads the computer name

Checks supported languages

There is functionality for taking screenshot (YARA)

Create files in a temporary directory

Reads security settings of Internet Explorer

The sample compiled with english language support

Creates files or folders in the user directory

Drops script file

Reads Microsoft Office registry keys

Process checks computer location settings

Creates a software uninstall entry

Checks proxy server information

Compiled with Borland Delphi (YARA)

Application launched itself

Manual execution by a user

Launching a file from a Registry key

Creates files in the program directory

Reads CPU info

Disables trace logs

Manages system restore points

Reads product name

Reads Environment values

Reads Windows Product ID

TeamViewer related mutex has been found

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph