File name:

微.信_b0134013606.exe

Full analysis: https://app.any.run/tasks/a8e1000e-23b1-49b3-8d5f-0189685a1998
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 09, 2024, 04:31:41
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
stealer
rust
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

5D04DA31238FF20998723B09AFFD65D3

SHA1:

C00ADA0D38135108C2028882EC9B340B905D667D

SHA256:

F1EA3DD89B90FD6F29EA9ADDB9E30A4A527F8F83BB9E9D26C2FAF05F21C209AA

SSDEEP:

98304:O0+5GIxYarSRdI0gpS4cR1BCCmTiTx5FA9iU5fCCGjwhv64/8Pn9pYLplNAq3Dwz:3Xoj7go13rb4d

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • computercenter.exe (PID: 6728)

    • Actions looks like stealing of personal data

      • computercenter.exe (PID: 6728)
      • start_menu_pro.exe (PID: 5876)
      • intercept_bs_ui.exe (PID: 6136)
      • privacy_clean.exe (PID: 7684)
      • software_pm_ui.exe (PID: 8052)

  • SUSPICIOUS

    • Searches for installed software

      • 微.信_b0134013606.exe (PID: 6412)
      • ComputerZTray.exe (PID: 3524)
      • computercenter.exe (PID: 6728)
      • start_menu_pro.exe (PID: 5876)
      • PCStore.exe (PID: 1804)
      • Extention.exe (PID: 7416)
      • software_pm_ui.exe (PID: 8052)

    • Reads security settings of Internet Explorer

      • 微.信_b0134013606.exe (PID: 6412)
      • Ldshelper.exe (PID: 5320)
      • ComputerZTray.exe (PID: 3524)
      • start_menu_pro.exe (PID: 5876)
      • computercenter.exe (PID: 6728)
      • index_service.exe (PID: 7064)
      • CefView.exe (PID: 3744)
      • start_menu_helper.exe (PID: 2212)
      • CefView.exe (PID: 4908)
      • CefView.exe (PID: 2432)
      • os_context_menu.exe (PID: 3824)
      • intercept_bs_ui.exe (PID: 6136)
      • proc_opt_ui.exe (PID: 1480)
      • StoreTray.exe (PID: 4716)
      • PCStore.exe (PID: 1804)
      • CefView.exe (PID: 6684)
      • CefView.exe (PID: 7176)
      • CefView.exe (PID: 7184)
      • CefView.exe (PID: 6856)
      • Extention.exe (PID: 7416)
      • CefView.exe (PID: 7616)
      • CefView.exe (PID: 7884)
      • CefView.exe (PID: 8016)
      • CefView.exe (PID: 8008)
      • xban32.exe (PID: 7704)
      • xban32.exe (PID: 3620)
      • xban32.exe (PID: 7024)
      • xban32.exe (PID: 8164)
      • xban32.exe (PID: 7408)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 6580)
      • xban32.exe (PID: 4512)
      • xban32.exe (PID: 8064)
      • xban32.exe (PID: 7960)
      • xban32.exe (PID: 4384)
      • xban32.exe (PID: 7456)
      • xban32.exe (PID: 7864)
      • xban32.exe (PID: 8168)
      • xban32.exe (PID: 7548)
      • xban32.exe (PID: 7744)
      • xban32.exe (PID: 448)
      • xban32.exe (PID: 7636)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 3140)
      • xban32.exe (PID: 7524)
      • cclean.exe (PID: 3620)
      • cclean.exe (PID: 8096)
      • duplicate_file_clean.exe (PID: 7980)
      • intercept_bs_ui.exe (PID: 7940)
      • duplicate_file_clean.exe (PID: 7960)
      • cclean.exe (PID: 8064)
      • defrag.exe (PID: 7876)
      • browser_guard.exe (PID: 6516)
      • privacy_protection.exe (PID: 7460)
      • privacy_protection.exe (PID: 6224)
      • privacy_incognito.exe (PID: 7576)
      • privacy_protection.exe (PID: 7516)
      • CefView.exe (PID: 7764)
      • privacy_clean.exe (PID: 7684)
      • CefView.exe (PID: 6636)
      • CefView.exe (PID: 7008)
      • CefView.exe (PID: 6392)
      • software_pm_ui.exe (PID: 8052)
      • CefView.exe (PID: 8036)

    • Process requests binary or script from the Internet

      • 微.信_b0134013606.exe (PID: 6412)
      • Extention.exe (PID: 7416)

    • Potential Corporate Privacy Violation

      • 微.信_b0134013606.exe (PID: 6412)
      • Extention.exe (PID: 7416)

    • Drops 7-zip archiver for unpacking

      • 微.信_b0134013606.exe (PID: 6412)
      • ComputerZTray.exe (PID: 3524)

    • Executable content was dropped or overwritten

      • 微.信_b0134013606.exe (PID: 6412)
      • ComputerZTray.exe (PID: 3524)
      • PCStore.exe (PID: 1804)
      • Extention.exe (PID: 7416)
      • computercenter.exe (PID: 6728)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 4512)
      • xban32.exe (PID: 4384)
      • xban32.exe (PID: 7864)
      • xban32.exe (PID: 7744)
      • xban32.exe (PID: 3140)

    • Checks Windows Trust Settings

      • 微.信_b0134013606.exe (PID: 6412)
      • ComputerZTray.exe (PID: 3524)
      • start_menu_pro.exe (PID: 5876)
      • index_service.exe (PID: 7064)
      • computercenter.exe (PID: 6728)
      • CefView.exe (PID: 3744)
      • start_menu_helper.exe (PID: 2212)
      • CefView.exe (PID: 4908)
      • CefView.exe (PID: 2432)
      • os_context_menu.exe (PID: 3824)
      • intercept_bs_ui.exe (PID: 6136)
      • proc_opt_ui.exe (PID: 1480)
      • StoreTray.exe (PID: 4716)
      • PCStore.exe (PID: 1804)
      • CefView.exe (PID: 6684)
      • CefView.exe (PID: 6856)
      • CefView.exe (PID: 7176)
      • CefView.exe (PID: 7184)
      • Extention.exe (PID: 7416)
      • CefView.exe (PID: 7616)
      • CefView.exe (PID: 7884)
      • CefView.exe (PID: 8016)
      • CefView.exe (PID: 8008)
      • xban32.exe (PID: 7704)
      • xban32.exe (PID: 3620)
      • xban32.exe (PID: 7024)
      • xban32.exe (PID: 8164)
      • xban32.exe (PID: 7408)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 6580)
      • xban32.exe (PID: 4512)
      • xban32.exe (PID: 8064)
      • xban32.exe (PID: 7960)
      • xban32.exe (PID: 7456)
      • xban32.exe (PID: 7864)
      • xban32.exe (PID: 8168)
      • xban32.exe (PID: 7548)
      • xban32.exe (PID: 7744)
      • xban32.exe (PID: 448)
      • xban32.exe (PID: 7636)
      • xban32.exe (PID: 3140)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 7524)
      • xban32.exe (PID: 4384)
      • cclean.exe (PID: 3620)
      • cclean.exe (PID: 8096)
      • duplicate_file_clean.exe (PID: 7980)
      • intercept_bs_ui.exe (PID: 7940)
      • cclean.exe (PID: 8064)
      • duplicate_file_clean.exe (PID: 7960)
      • privacy_protection.exe (PID: 7460)
      • defrag.exe (PID: 7876)
      • privacy_protection.exe (PID: 6224)
      • privacy_incognito.exe (PID: 7576)
      • browser_guard.exe (PID: 6516)
      • privacy_protection.exe (PID: 7516)
      • privacy_clean.exe (PID: 7684)
      • CefView.exe (PID: 7764)
      • CefView.exe (PID: 6636)
      • CefView.exe (PID: 6392)
      • CefView.exe (PID: 7008)
      • software_pm_ui.exe (PID: 8052)
      • CefView.exe (PID: 8036)

    • Process drops legitimate windows executable

      • 微.信_b0134013606.exe (PID: 6412)
      • PCStore.exe (PID: 1804)
      • Extention.exe (PID: 7416)

    • Adds/modifies Windows certificates

      • 微.信_b0134013606.exe (PID: 6412)

    • The process creates files with name similar to system file names

      • 微.信_b0134013606.exe (PID: 6412)

    • Creates a software uninstall entry

      • 微.信_b0134013606.exe (PID: 6412)

    • Drops a system driver (possible attempt to evade defenses)

      • 微.信_b0134013606.exe (PID: 6412)

    • Application launched itself

      • computercenter.exe (PID: 6728)
      • CefView.exe (PID: 3744)
      • CefView.exe (PID: 4336)
      • CefView.exe (PID: 6856)
      • CefView.exe (PID: 7884)
      • CefView.exe (PID: 7764)

    • Creates or modifies Windows services

      • ComputerZTray.exe (PID: 3524)

    • The process checks if it is being run in the virtual environment

      • proc_opt_ui.exe (PID: 1480)

    • Uses WMIC.EXE

      • cmd.exe (PID: 7220)

    • Starts CMD.EXE for commands execution

      • xban32.exe (PID: 8064)

  • INFO

    • Reads the computer name

      • 微.信_b0134013606.exe (PID: 6412)
      • Ldshelper.exe (PID: 5320)
      • computercenter.exe (PID: 6728)
      • ComputerZTray.exe (PID: 3524)
      • index_service.exe (PID: 7064)
      • start_menu_pro.exe (PID: 5876)
      • CefView.exe (PID: 3744)
      • CefView.exe (PID: 4908)
      • os_context_menu.exe (PID: 3824)
      • proc_opt_ui.exe (PID: 1480)
      • intercept_bs_ui.exe (PID: 6136)
      • StoreTray.exe (PID: 4716)
      • PCStore.exe (PID: 1804)
      • CefView.exe (PID: 4336)
      • CefView.exe (PID: 6464)
      • CefView.exe (PID: 6684)
      • CefView.exe (PID: 6856)
      • CefView.exe (PID: 7184)
      • Extention.exe (PID: 7416)
      • CefView.exe (PID: 7616)
      • CefView.exe (PID: 7504)
      • CefView.exe (PID: 7884)
      • CefView.exe (PID: 8016)
      • xban32.exe (PID: 7704)
      • xban32.exe (PID: 3620)
      • xban32.exe (PID: 7024)
      • xban32.exe (PID: 8164)
      • xban32.exe (PID: 7408)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 6580)
      • xban32.exe (PID: 4512)
      • xban32.exe (PID: 8064)
      • xban32.exe (PID: 7960)
      • xban32.exe (PID: 4384)
      • xban32.exe (PID: 7456)
      • xban32.exe (PID: 7864)
      • xban32.exe (PID: 8168)
      • xban32.exe (PID: 7744)
      • xban32.exe (PID: 448)
      • xban32.exe (PID: 7636)
      • xban32.exe (PID: 3140)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 7524)
      • xban32.exe (PID: 7548)
      • defrag.exe (PID: 7876)
      • browser_guard.exe (PID: 6516)
      • CefView.exe (PID: 7764)
      • privacy_clean.exe (PID: 7684)
      • CefView.exe (PID: 6392)
      • CefView.exe (PID: 8036)

    • Creates files in the program directory

      • 微.信_b0134013606.exe (PID: 6412)
      • ComputerZTray.exe (PID: 3524)
      • computercenter.exe (PID: 6728)
      • intercept_bs_ui.exe (PID: 6136)
      • proc_opt_ui.exe (PID: 1480)
      • PCStore.exe (PID: 1804)
      • StoreTray.exe (PID: 4716)
      • Extention.exe (PID: 7416)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 4512)
      • xban32.exe (PID: 4384)
      • xban32.exe (PID: 7864)
      • xban32.exe (PID: 7744)
      • xban32.exe (PID: 3140)
      • software_pm_ui.exe (PID: 8052)

    • Checks supported languages

      • 微.信_b0134013606.exe (PID: 6412)
      • ComputerZTray.exe (PID: 3524)
      • Ldshelper.exe (PID: 5320)
      • start_menu_pro.exe (PID: 5876)
      • computercenter.exe (PID: 6728)
      • index_service.exe (PID: 7064)
      • computercenter.exe (PID: 5864)
      • computercenter.exe (PID: 4932)
      • CefView.exe (PID: 3744)
      • start_menu_helper.exe (PID: 2212)
      • CefView.exe (PID: 4908)
      • CefView.exe (PID: 2432)
      • intercept_bs_ui.exe (PID: 6136)
      • proc_opt_ui.exe (PID: 1480)
      • computercenter.exe (PID: 4628)
      • os_context_menu.exe (PID: 3824)
      • computercenter.exe (PID: 6192)
      • PCStore.exe (PID: 1804)
      • StoreTray.exe (PID: 4716)
      • CefView.exe (PID: 6464)
      • CefView.exe (PID: 5236)
      • CefView.exe (PID: 4336)
      • CefView.exe (PID: 6684)
      • CefView.exe (PID: 6856)
      • CefView.exe (PID: 7176)
      • CefView.exe (PID: 7184)
      • Extention.exe (PID: 7416)
      • CefView.exe (PID: 7616)
      • CefView.exe (PID: 7884)
      • CefView.exe (PID: 8016)
      • CefView.exe (PID: 8008)
      • computercenter.exe (PID: 7656)
      • computercenter.exe (PID: 7620)
      • computercenter.exe (PID: 7664)
      • computercenter.exe (PID: 7616)
      • computercenter.exe (PID: 7744)
      • xban32.exe (PID: 3620)
      • xban32.exe (PID: 7704)
      • xban32.exe (PID: 7024)
      • xban32.exe (PID: 8164)
      • xban32.exe (PID: 7408)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 6580)
      • xban32.exe (PID: 4512)
      • xban32.exe (PID: 8064)
      • CefView.exe (PID: 7504)
      • xban32.exe (PID: 7960)
      • xban32.exe (PID: 4384)
      • xban32.exe (PID: 7456)
      • xban32.exe (PID: 7864)
      • xban32.exe (PID: 8168)
      • xban32.exe (PID: 7548)
      • xban32.exe (PID: 7744)
      • xban32.exe (PID: 7636)
      • xban32.exe (PID: 448)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 3140)
      • xban32.exe (PID: 7524)
      • cclean.exe (PID: 3620)
      • computercenter.exe (PID: 8052)
      • computercenter.exe (PID: 5040)
      • computercenter.exe (PID: 8140)
      • cclean.exe (PID: 8096)
      • computercenter.exe (PID: 7220)
      • duplicate_file_clean.exe (PID: 7980)
      • computercenter.exe (PID: 7988)
      • computercenter.exe (PID: 6584)
      • duplicate_file_clean.exe (PID: 7960)
      • computercenter.exe (PID: 3884)
      • computercenter.exe (PID: 3652)
      • computercenter.exe (PID: 7860)
      • computercenter.exe (PID: 6968)
      • cclean.exe (PID: 8064)
      • privacy_protection.exe (PID: 7460)
      • computercenter.exe (PID: 7888)
      • computercenter.exe (PID: 7076)
      • privacy_protection.exe (PID: 6224)
      • computercenter.exe (PID: 3772)
      • defrag.exe (PID: 7876)
      • browser_guard.exe (PID: 6516)
      • privacy_incognito.exe (PID: 7576)
      • privacy_protection.exe (PID: 7516)
      • privacy_clean.exe (PID: 7684)
      • CefView.exe (PID: 7764)
      • CefView.exe (PID: 6392)
      • CefView.exe (PID: 6636)
      • CefView.exe (PID: 7008)
      • software_pm_ui.exe (PID: 8052)
      • CefView.exe (PID: 8036)
      • intercept_bs_ui.exe (PID: 7940)

    • Creates files or folders in the user directory

      • 微.信_b0134013606.exe (PID: 6412)
      • Ldshelper.exe (PID: 5320)
      • computercenter.exe (PID: 6728)
      • ComputerZTray.exe (PID: 3524)
      • start_menu_pro.exe (PID: 5876)
      • index_service.exe (PID: 7064)
      • CefView.exe (PID: 3744)
      • proc_opt_ui.exe (PID: 1480)
      • intercept_bs_ui.exe (PID: 6136)
      • StoreTray.exe (PID: 4716)
      • PCStore.exe (PID: 1804)
      • CefView.exe (PID: 4336)
      • CefView.exe (PID: 6856)
      • Extention.exe (PID: 7416)
      • CefView.exe (PID: 7884)
      • xban32.exe (PID: 7704)
      • xban32.exe (PID: 3620)
      • xban32.exe (PID: 7024)
      • xban32.exe (PID: 8164)
      • xban32.exe (PID: 7408)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 6580)
      • xban32.exe (PID: 4512)
      • xban32.exe (PID: 7960)
      • xban32.exe (PID: 8064)
      • xban32.exe (PID: 4384)
      • xban32.exe (PID: 7456)
      • xban32.exe (PID: 7864)
      • xban32.exe (PID: 8168)
      • xban32.exe (PID: 7548)
      • xban32.exe (PID: 7744)
      • xban32.exe (PID: 448)
      • xban32.exe (PID: 7636)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 3140)
      • xban32.exe (PID: 7524)
      • privacy_incognito.exe (PID: 7576)
      • defrag.exe (PID: 7876)
      • CefView.exe (PID: 7764)
      • privacy_clean.exe (PID: 7684)
      • software_pm_ui.exe (PID: 8052)
      • browser_guard.exe (PID: 6516)

    • Checks proxy server information

      • 微.信_b0134013606.exe (PID: 6412)
      • Ldshelper.exe (PID: 5320)
      • ComputerZTray.exe (PID: 3524)
      • computercenter.exe (PID: 6728)
      • index_service.exe (PID: 7064)
      • start_menu_pro.exe (PID: 5876)
      • CefView.exe (PID: 3744)
      • intercept_bs_ui.exe (PID: 6136)
      • proc_opt_ui.exe (PID: 1480)
      • StoreTray.exe (PID: 4716)
      • PCStore.exe (PID: 1804)
      • CefView.exe (PID: 4336)
      • CefView.exe (PID: 6856)
      • Extention.exe (PID: 7416)
      • CefView.exe (PID: 7884)
      • xban32.exe (PID: 7704)
      • xban32.exe (PID: 3620)
      • xban32.exe (PID: 7024)
      • xban32.exe (PID: 8164)
      • xban32.exe (PID: 7408)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 6580)
      • xban32.exe (PID: 4512)
      • xban32.exe (PID: 7960)
      • xban32.exe (PID: 4384)
      • xban32.exe (PID: 8064)
      • xban32.exe (PID: 7456)
      • xban32.exe (PID: 7864)
      • xban32.exe (PID: 8168)
      • xban32.exe (PID: 7548)
      • xban32.exe (PID: 7744)
      • xban32.exe (PID: 448)
      • xban32.exe (PID: 7636)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 3140)
      • xban32.exe (PID: 7524)
      • defrag.exe (PID: 7876)
      • privacy_clean.exe (PID: 7684)
      • CefView.exe (PID: 7764)
      • software_pm_ui.exe (PID: 8052)

    • Reads the machine GUID from the registry

      • 微.信_b0134013606.exe (PID: 6412)
      • ComputerZTray.exe (PID: 3524)
      • start_menu_pro.exe (PID: 5876)
      • computercenter.exe (PID: 6728)
      • index_service.exe (PID: 7064)
      • CefView.exe (PID: 3744)
      • start_menu_helper.exe (PID: 2212)
      • CefView.exe (PID: 4908)
      • CefView.exe (PID: 2432)
      • os_context_menu.exe (PID: 3824)
      • intercept_bs_ui.exe (PID: 6136)
      • proc_opt_ui.exe (PID: 1480)
      • StoreTray.exe (PID: 4716)
      • PCStore.exe (PID: 1804)
      • CefView.exe (PID: 4336)
      • CefView.exe (PID: 6684)
      • CefView.exe (PID: 7176)
      • CefView.exe (PID: 7184)
      • CefView.exe (PID: 6856)
      • Extention.exe (PID: 7416)
      • CefView.exe (PID: 7616)
      • CefView.exe (PID: 7884)
      • CefView.exe (PID: 8016)
      • CefView.exe (PID: 8008)
      • xban32.exe (PID: 7704)
      • xban32.exe (PID: 3620)
      • xban32.exe (PID: 7024)
      • xban32.exe (PID: 8164)
      • xban32.exe (PID: 7408)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 6580)
      • xban32.exe (PID: 4512)
      • xban32.exe (PID: 8064)
      • xban32.exe (PID: 7960)
      • xban32.exe (PID: 4384)
      • xban32.exe (PID: 7456)
      • xban32.exe (PID: 8168)
      • xban32.exe (PID: 7548)
      • xban32.exe (PID: 7744)
      • xban32.exe (PID: 448)
      • xban32.exe (PID: 7636)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 3140)
      • xban32.exe (PID: 7524)
      • cclean.exe (PID: 3620)
      • cclean.exe (PID: 8096)
      • xban32.exe (PID: 7864)
      • duplicate_file_clean.exe (PID: 7980)
      • intercept_bs_ui.exe (PID: 7940)
      • cclean.exe (PID: 8064)
      • duplicate_file_clean.exe (PID: 7960)
      • privacy_protection.exe (PID: 7460)
      • defrag.exe (PID: 7876)
      • browser_guard.exe (PID: 6516)
      • privacy_protection.exe (PID: 6224)
      • privacy_incognito.exe (PID: 7576)
      • privacy_clean.exe (PID: 7684)
      • CefView.exe (PID: 7764)
      • privacy_protection.exe (PID: 7516)
      • CefView.exe (PID: 6636)
      • CefView.exe (PID: 6392)
      • software_pm_ui.exe (PID: 8052)
      • CefView.exe (PID: 8036)
      • CefView.exe (PID: 7008)

    • Create files in a temporary directory

      • 微.信_b0134013606.exe (PID: 6412)
      • ComputerZTray.exe (PID: 3524)
      • PCStore.exe (PID: 1804)
      • Extention.exe (PID: 7416)
      • computercenter.exe (PID: 6728)
      • privacy_clean.exe (PID: 7684)

    • The process uses the downloaded file

      • 微.信_b0134013606.exe (PID: 6412)
      • ComputerZTray.exe (PID: 3524)
      • computercenter.exe (PID: 6728)
      • StoreTray.exe (PID: 4716)
      • PCStore.exe (PID: 1804)

    • Process checks computer location settings

      • 微.信_b0134013606.exe (PID: 6412)
      • ComputerZTray.exe (PID: 3524)
      • computercenter.exe (PID: 6728)
      • StoreTray.exe (PID: 4716)
      • PCStore.exe (PID: 1804)
      • CefView.exe (PID: 5236)
      • CefView.exe (PID: 8008)
      • CefView.exe (PID: 6636)

    • Reads the software policy settings

      • 微.信_b0134013606.exe (PID: 6412)
      • ComputerZTray.exe (PID: 3524)
      • start_menu_pro.exe (PID: 5876)
      • index_service.exe (PID: 7064)
      • CefView.exe (PID: 3744)
      • start_menu_helper.exe (PID: 2212)
      • CefView.exe (PID: 4908)
      • CefView.exe (PID: 2432)
      • computercenter.exe (PID: 6728)
      • os_context_menu.exe (PID: 3824)
      • intercept_bs_ui.exe (PID: 6136)
      • StoreTray.exe (PID: 4716)
      • PCStore.exe (PID: 1804)
      • proc_opt_ui.exe (PID: 1480)
      • CefView.exe (PID: 6684)
      • CefView.exe (PID: 4336)
      • CefView.exe (PID: 6856)
      • CefView.exe (PID: 7184)
      • CefView.exe (PID: 7176)
      • CefView.exe (PID: 7616)
      • Extention.exe (PID: 7416)
      • CefView.exe (PID: 8016)
      • CefView.exe (PID: 8008)
      • CefView.exe (PID: 7884)
      • xban32.exe (PID: 7704)
      • xban32.exe (PID: 3620)
      • xban32.exe (PID: 7024)
      • xban32.exe (PID: 7408)
      • xban32.exe (PID: 8164)
      • xban32.exe (PID: 6580)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 4512)
      • xban32.exe (PID: 4384)
      • xban32.exe (PID: 8064)
      • xban32.exe (PID: 7960)
      • xban32.exe (PID: 7456)
      • xban32.exe (PID: 7864)
      • xban32.exe (PID: 8168)
      • xban32.exe (PID: 7548)
      • xban32.exe (PID: 7744)
      • xban32.exe (PID: 7636)
      • xban32.exe (PID: 448)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 3140)
      • xban32.exe (PID: 7524)
      • cclean.exe (PID: 3620)
      • intercept_bs_ui.exe (PID: 7940)
      • cclean.exe (PID: 8064)
      • duplicate_file_clean.exe (PID: 7960)
      • cclean.exe (PID: 8096)
      • privacy_protection.exe (PID: 7460)
      • defrag.exe (PID: 7876)
      • browser_guard.exe (PID: 6516)
      • privacy_protection.exe (PID: 7516)
      • privacy_protection.exe (PID: 6224)
      • CefView.exe (PID: 7764)
      • privacy_clean.exe (PID: 7684)
      • CefView.exe (PID: 6636)
      • CefView.exe (PID: 6392)
      • privacy_incognito.exe (PID: 7576)
      • duplicate_file_clean.exe (PID: 7980)
      • CefView.exe (PID: 7008)
      • software_pm_ui.exe (PID: 8052)
      • CefView.exe (PID: 8036)

    • Disables trace logs

      • ComputerZTray.exe (PID: 3524)
      • computercenter.exe (PID: 6728)
      • intercept_bs_ui.exe (PID: 6136)
      • proc_opt_ui.exe (PID: 1480)
      • PCStore.exe (PID: 1804)
      • xban32.exe (PID: 7692)
      • xban32.exe (PID: 4512)
      • xban32.exe (PID: 4384)
      • xban32.exe (PID: 7864)
      • xban32.exe (PID: 7744)
      • xban32.exe (PID: 3140)
      • browser_guard.exe (PID: 6516)

    • Sends debugging messages

      • ComputerZTray.exe (PID: 3524)
      • CefView.exe (PID: 3744)
      • CefView.exe (PID: 6856)
      • CefView.exe (PID: 4336)

    • Reads the time zone

      • CefView.exe (PID: 5236)
      • CefView.exe (PID: 8008)
      • CefView.exe (PID: 6636)

    • Application based on Rust

      • ComputerZTray.exe (PID: 3524)
      • computercenter.exe (PID: 6728)
      • start_menu_pro.exe (PID: 5876)
      • index_service.exe (PID: 7064)
      • CefView.exe (PID: 4908)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 4968)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:08:01 09:46:35+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 14.16
CodeSize: 2620928
InitializedDataSize: 1225728
UninitializedDataSize: -
EntryPoint: 0x94515f
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 6.1024.1225.801
ProductVersionNumber: 6.1024.1225.801
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: 应用程序
FileVersion: 6.1024.1225.801
InternalName: inst.exe
LegalCopyright: Copyright (C) 2024
ProductName: 应用程序
ProductVersion: 6.1024.1225.801
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
226
Monitored processes
96
Malicious processes
11
Suspicious processes
14

Behavior graph

Click at the process to see the details
start 微.信_b0134013606.exe ldshelper.exe computerztray.exe computercenter.exe start_menu_pro.exe index_service.exe regsvr32.exe no specs computercenter.exe no specs computercenter.exe no specs cefview.exe unsecapp.exe no specs start_menu_helper.exe no specs cefview.exe no specs cefview.exe no specs intercept_bs_ui.exe os_context_menu.exe no specs computercenter.exe no specs proc_opt_ui.exe computercenter.exe no specs storetray.exe pcstore.exe cefview.exe cefview.exe no specs cefview.exe no specs cefview.exe no specs cefview.exe cefview.exe no specs cefview.exe no specs extention.exe cefview.exe no specs cefview.exe no specs cefview.exe cefview.exe no specs cefview.exe no specs xban32.exe computercenter.exe no specs computercenter.exe no specs computercenter.exe no specs computercenter.exe no specs computercenter.exe no specs xban32.exe xban32.exe xban32.exe xban32.exe xban32.exe xban32.exe xban32.exe xban32.exe cmd.exe no specs conhost.exe no specs wmic.exe no specs xban32.exe xban32.exe xban32.exe xban32.exe xban32.exe xban32.exe xban32.exe xban32.exe xban32.exe xban32.exe xban32.exe xban32.exe cclean.exe no specs computercenter.exe no specs computercenter.exe no specs computercenter.exe no specs duplicate_file_clean.exe no specs computercenter.exe no specs intercept_bs_ui.exe no specs cclean.exe no specs cclean.exe no specs computercenter.exe no specs computercenter.exe no specs duplicate_file_clean.exe no specs privacy_protection.exe no specs defrag.exe computercenter.exe no specs computercenter.exe no specs computercenter.exe no specs computercenter.exe no specs computercenter.exe no specs computercenter.exe no specs computercenter.exe no specs privacy_protection.exe no specs browser_guard.exe privacy_incognito.exe no specs privacy_protection.exe no specs privacy_clean.exe cefview.exe cefview.exe no specs cefview.exe no specs cefview.exe no specs software_pm_ui.exe cefview.exe no specs 微.信_b0134013606.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
448"C:\Program Files (x86)\Ludashi\Utils\xban32.exe" --dll="C:\Program Files (x86)\Ludashi\plugin\RunExtention.tpi" --entry=RunExtentionScript --name=ludashi_sm_{19AFB03B-4443-4959-86A5-37AFAA9E1B25} --length=96C:\Program Files (x86)\LuDaShi\Utils\xban32.exe
computercenter.exe
User:
admin
Integrity Level:
HIGH
Description:
Extention.exe
Exit code:
0
Version:
2.5023.1010.329
1480"C:\Program Files (x86)\Ludashi\SuperApp\proc_opt\proc_opt_ui.exe" --op_type=3 --extra=YIrLlkcAtQqVU6h73KZaPg==C:\Program Files (x86)\LuDaShi\SuperApp\proc_opt\proc_opt_ui.exe
computercenter.exe
User:
admin
Company:
鲁大师
Integrity Level:
HIGH
Description:
电脑智能防卡顿
Version:
1.1024.1015.823
Modules
Images
c:\program files (x86)\ludashi\superapp\proc_opt\proc_opt_ui.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1804"C:\Program Files (x86)\Ludashi\softmgr\PCStoreX\PCStore.exe" --exg=1 --from=tray --show=3 --softid=24070302 --softname=微信 --sourceid=0 --webid=1117 C:\Program Files (x86)\LuDaShi\softmgr\PCStoreX\PCStore.exe
StoreTray.exe
User:
admin
Integrity Level:
HIGH
Description:
市场程序
Version:
1.2524.1120.1024
Modules
Images
c:\program files (x86)\ludashi\softmgr\pcstorex\pcstore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2212"C:\Program Files (x86)\Ludashi\SuperApp\start_menu_pro\start_menu_helper.exe" C:\Program Files (x86)\LuDaShi\SuperApp\start_menu_pro\start_menu_helper.exestart_menu_pro.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.5024.1005.612
Modules
Images
c:\program files (x86)\ludashi\superapp\start_menu_pro\start_menu_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
2432"C:\Program Files (x86)\Ludashi\Utils\cef69\CefView.exe" --type=renderer --no-sandbox --disable-gpu-compositing --service-pipe-token=17158252999522134722 --lang=zh-CN --log-file=disable.log --log-severity=disable --disable-extensions --ppapi-flash-path=pepflashplayer.dll --ppapi-flash-version=32.0.0.192 --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=17158252999522134722 --renderer-client-id=2 --mojo-platform-channel-handle=2380 /prefetch:1C:\Program Files (x86)\LuDaShi\Utils\cef69\CefView.exeCefView.exe
User:
admin
Integrity Level:
HIGH
Description:
WebLoad Application
Version:
4.5024.3150.1105
Modules
Images
c:\program files (x86)\ludashi\utils\cef69\cefview.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\imm32.dll
3140"C:\Program Files (x86)\Ludashi\Utils\xban32.exe" --dll="C:\Program Files (x86)\Ludashi\plugin\RunExtention.tpi" --entry=RunExtentionScript --name=ludashi_sm_{49C9BDC3-BD38-4c49-A73B-94A0DF969F82} --length=96C:\Program Files (x86)\LuDaShi\Utils\xban32.exe
computercenter.exe
User:
admin
Integrity Level:
HIGH
Description:
Extention.exe
Exit code:
0
Version:
2.5023.1010.329
3524"C:\Program Files (x86)\Ludashi\ComputerZTray.exe" /NoFloat /disable_panel /disable_temp_alarm /SoftMgr="/s --pid=ldsimp_1117 --sourceid=0 --softid=24070302 --from=site --webid=1117 --softname=微信 --show=3 --exg=1"C:\Program Files (x86)\LuDaShi\ComputerZTray.exe
微.信_b0134013606.exe
User:
admin
Integrity Level:
HIGH
Description:
鲁大师 硬件防护中心
Version:
5.1024.2605.923
Modules
Images
c:\program files (x86)\ludashi\computerztray.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3620"C:\Program Files (x86)\Ludashi\Utils\xban32.exe" --dll="C:\Program Files (x86)\Ludashi\plugin\RunExtention.tpi" --entry=RunExtentionScript --name=ludashi_sm_{BE2C5063-9B5D-4d31-A249-634A9C66E6F7} --length=73C:\Program Files (x86)\LuDaShi\Utils\xban32.exe
computercenter.exe
User:
admin
Integrity Level:
HIGH
Description:
Extention.exe
Exit code:
0
Version:
2.5023.1010.329
3620"C:\Program Files (x86)\Ludashi\\SuperApp\cclean\cclean.exe" --PluginCmd=" --source_id=cclean --touch_id=2"C:\Program Files (x86)\LuDaShi\SuperApp\cclean\cclean.execomputercenter.exe
User:
admin
Integrity Level:
HIGH
Description:
系统盘清理
Exit code:
0
Version:
1.1024.1000.516
3652"C:\Program Files (x86)\Ludashi\computercenter.exe" --PluginName=mem_opt_client --PluginCmd=" --source_id=memopt_pro --touch_id=1"C:\Program Files (x86)\LuDaShi\computercenter.execomputercenter.exe
User:
admin
Integrity Level:
HIGH
Description:
程序
Exit code:
4294967295
Version:
1.5024.1230.1111
Total events
323 850
Read events
323 539
Write events
297
Delete events
14

Modification events

(PID) Process:(6412) 微.信_b0134013606.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CommonDown
Operation:writeName:guid
Value:
{5DA0E2B3-EEA2-4019-B599-4A0F80494D10}
(PID) Process:(6412) 微.信_b0134013606.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6412) 微.信_b0134013606.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6412) 微.信_b0134013606.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6412) 微.信_b0134013606.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ComMaster
Operation:writeName:mid
Value:
80342cb959da2233832ae840f019ccba8b56b331eb673be97c52113eab1cd1bc
(PID) Process:(6412) 微.信_b0134013606.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
Operation:delete valueName:3679CA35668772304D30A5FB873B0FA77BB70D54
Value:
(PID) Process:(6412) 微.信_b0134013606.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54
Operation:writeName:Blob
Value:
0400000001000000100000008EADB501AA4D81E48C1DD1E1140095191D0000000100000010000000439B4D52906DF7A01771D729528723B37F0000000100000016000000301406082B0601050507030306082B06010505070301090000000100000034000000303206082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030106082B060105050703080B000000010000006000000056006500720069005300690067006E00200055006E006900760065007200730061006C00200052006F006F0074002000430065007200740069006600690063006100740069006F006E00200041007500740068006F00720069007400790000000F000000010000002000000017FE16F394EC70A5BB0C6784CAB40B1E61025AE9D50ECAA0531D6B4D997BBC590300000001000000140000003679CA35668772304D30A5FB873B0FA77BB70D54190000000100000010000000AD6D6FF31B24013151F279E26A8C332453000000010000004200000030403021060B6086480186F8450107170630123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C06200000001000000200000002399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C140000000100000014000000B677FA6948479F5312D5C2EA07327607D19707197E000000010000000800000000C0032F2DF8D6012000000001000000BD040000308204B9308203A1A0030201020210401AC46421B31321030EBBE4121AC51D300D06092A864886F70D01010B05003081BD310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E311F301D060355040B1316566572695369676E205472757374204E6574776F726B313A3038060355040B1331286329203230303820566572695369676E2C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79313830360603550403132F566572695369676E20556E6976657273616C20526F6F742043657274696669636174696F6E20417574686F72697479301E170D3038303430323030303030305A170D3337313230313233353935395A3081BD310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E311F301D060355040B1316566572695369676E205472757374204E6574776F726B313A3038060355040B1331286329203230303820566572695369676E2C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79313830360603550403132F566572695369676E20556E6976657273616C20526F6F742043657274696669636174696F6E20417574686F7269747930820122300D06092A864886F70D01010105000382010F003082010A0282010100C761375EB10134DB62D7159BFF585A8C2323D6608E91D79098837AE65819388CC5F6E56485B4A271FBEDBDB9DACD4D00B4C82D73A5C76971951F393CB244079CE80EFA4D4AC421DF29618F32226182C5871F6E8C7C5F16205144D1704F57EAE31CE3CC79EE58D80EC2B34593C02CE79A172B7B00377A413378E133E2F3101A7F872CBEF6F5F742E2E5BF8762895F004BDFC5DDE4754432413A1E716E69CB0B754608D1CAD22B95D0CFFBB9406B648C574DFC13117984ED5E54F6349F0801F3102506174ADAF11D7A666B986066A4D9EFD22E82F1F0EF09EA44C9156AE2036E33D3AC9F5500C7F6086A94B95FDCE033F18460F95B2711B4FC16F2BB566A80258D0203010001A381B23081AF300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106306D06082B0601050507010C0461305FA15DA05B3059305730551609696D6167652F6769663021301F300706052B0E03021A04148FE5D31A86AC8D8E6BC3CF806AD448182C7B192E30251623687474703A2F2F6C6F676F2E766572697369676E2E636F6D2F76736C6F676F2E676966301D0603551D0E04160414B677FA6948479F5312D5C2EA07327607D1970719300D06092A864886F70D01010B050003820101004AF8F8B003E62C677BE4947763CC6E4CF97D0E0DDCC8B935B9704F63FA24FA6C838C479D3B63F39AF976329591B177BCAC9ABEB1E43121C68195565A0EB1C2D4B1A659ACF163CBB84C1D59904AEF9016281F5AAE10FB8150380C6CCCF13DC3F563E3B3E321C92439E9FD156646F41B11D04D73A37D46F93DEDA85F62D4F13FF8E074572B189D81B4C428DA9497A570EBAC1DBE0711F0D5DBDDE58CF0D532B083E657E28FBFBEA1AABF3D1DB5D438EAD7B05C3A4F6A3F8FC0666C63AAE9D9A416F481D195140E7DCD9534D9D28F7073817B9C7EBD9861D845879890C5EB8630C635BFF0FFC35588834BEF05920671F2B89893B7ECCD8261F138E64F97982A5A8D
(PID) Process:(6412) 微.信_b0134013606.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\3679CA35668772304D30A5FB873B0FA77BB70D54
Operation:writeName:Blob
Value:
5C0000000100000004000000000800007E000000010000000800000000C0032F2DF8D601140000000100000014000000B677FA6948479F5312D5C2EA07327607D19707196200000001000000200000002399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C53000000010000004200000030403021060B6086480186F8450107170630123010060A2B0601040182373C0101030200C0301B060567810C010330123010060A2B0601040182373C0101030200C0190000000100000010000000AD6D6FF31B24013151F279E26A8C33240300000001000000140000003679CA35668772304D30A5FB873B0FA77BB70D540F000000010000002000000017FE16F394EC70A5BB0C6784CAB40B1E61025AE9D50ECAA0531D6B4D997BBC590B000000010000006000000056006500720069005300690067006E00200055006E006900760065007200730061006C00200052006F006F0074002000430065007200740069006600690063006100740069006F006E00200041007500740068006F0072006900740079000000090000000100000034000000303206082B0601050507030206082B0601050507030306082B0601050507030406082B0601050507030106082B060105050703087F0000000100000016000000301406082B0601050507030306082B060105050703011D0000000100000010000000439B4D52906DF7A01771D729528723B30400000001000000100000008EADB501AA4D81E48C1DD1E1140095192000000001000000BD040000308204B9308203A1A0030201020210401AC46421B31321030EBBE4121AC51D300D06092A864886F70D01010B05003081BD310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E311F301D060355040B1316566572695369676E205472757374204E6574776F726B313A3038060355040B1331286329203230303820566572695369676E2C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79313830360603550403132F566572695369676E20556E6976657273616C20526F6F742043657274696669636174696F6E20417574686F72697479301E170D3038303430323030303030305A170D3337313230313233353935395A3081BD310B300906035504061302555331173015060355040A130E566572695369676E2C20496E632E311F301D060355040B1316566572695369676E205472757374204E6574776F726B313A3038060355040B1331286329203230303820566572695369676E2C20496E632E202D20466F7220617574686F72697A656420757365206F6E6C79313830360603550403132F566572695369676E20556E6976657273616C20526F6F742043657274696669636174696F6E20417574686F7269747930820122300D06092A864886F70D01010105000382010F003082010A0282010100C761375EB10134DB62D7159BFF585A8C2323D6608E91D79098837AE65819388CC5F6E56485B4A271FBEDBDB9DACD4D00B4C82D73A5C76971951F393CB244079CE80EFA4D4AC421DF29618F32226182C5871F6E8C7C5F16205144D1704F57EAE31CE3CC79EE58D80EC2B34593C02CE79A172B7B00377A413378E133E2F3101A7F872CBEF6F5F742E2E5BF8762895F004BDFC5DDE4754432413A1E716E69CB0B754608D1CAD22B95D0CFFBB9406B648C574DFC13117984ED5E54F6349F0801F3102506174ADAF11D7A666B986066A4D9EFD22E82F1F0EF09EA44C9156AE2036E33D3AC9F5500C7F6086A94B95FDCE033F18460F95B2711B4FC16F2BB566A80258D0203010001A381B23081AF300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106306D06082B0601050507010C0461305FA15DA05B3059305730551609696D6167652F6769663021301F300706052B0E03021A04148FE5D31A86AC8D8E6BC3CF806AD448182C7B192E30251623687474703A2F2F6C6F676F2E766572697369676E2E636F6D2F76736C6F676F2E676966301D0603551D0E04160414B677FA6948479F5312D5C2EA07327607D1970719300D06092A864886F70D01010B050003820101004AF8F8B003E62C677BE4947763CC6E4CF97D0E0DDCC8B935B9704F63FA24FA6C838C479D3B63F39AF976329591B177BCAC9ABEB1E43121C68195565A0EB1C2D4B1A659ACF163CBB84C1D59904AEF9016281F5AAE10FB8150380C6CCCF13DC3F563E3B3E321C92439E9FD156646F41B11D04D73A37D46F93DEDA85F62D4F13FF8E074572B189D81B4C428DA9497A570EBAC1DBE0711F0D5DBDDE58CF0D532B083E657E28FBFBEA1AABF3D1DB5D438EAD7B05C3A4F6A3F8FC0666C63AAE9D9A416F481D195140E7DCD9534D9D28F7073817B9C7EBD9861D845879890C5EB8630C635BFF0FFC35588834BEF05920671F2B89893B7ECCD8261F138E64F97982A5A8D
(PID) Process:(6412) 微.信_b0134013606.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:delete valueName:ldsuninst
Value:
(PID) Process:(6412) 微.信_b0134013606.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ComMaster
Operation:writeName:m2
Value:
fe9694f777e256d0cc4755a6dd1f6ad7651f60d32bec
Executable files
410
Suspicious files
329
Text files
558
Unknown types
23

Dropped files

PID
Process
Filename
Type
6412微.信_b0134013606.exeC:\Users\admin\AppData\Roaming\titan\titan.report
MD5:
SHA256:
6412微.信_b0134013606.exeC:\Users\admin\AppData\Roaming\ludashi\setup.dll
MD5:
SHA256:
6412微.信_b0134013606.exeC:\Program Files (x86)\Ludashi\{560CB8BE-727E-4631-9FCB-CDDA7A146612}.tfbinary
MD5:2FE38ECB18708CF02A45033F25927457
SHA256:C78A66AD639D55C6B1BB78B5D35310E09C47AE75C695795292635CEB5E4952EB
6412微.信_b0134013606.exeC:\Users\admin\AppData\Roaming\titan\titan.dnstext
MD5:C5284F6D64BAE45B728F5AD4F6972C63
SHA256:6430CA6AF183804774DD64B32E0344BF26F91567FD76042BA0CB5EB3142A0362
6412微.信_b0134013606.exeC:\Users\admin\AppData\Roaming\titan\titan.configbinary
MD5:3E33F641E78AD811CA03874F0A86B021
SHA256:88F3DEBAD437132EF4623CBC65F18C4088117ABB98E29C729D50EF0261EC718D
6412微.信_b0134013606.exeC:\Users\admin\AppData\Local\Temp\{F48EC25C-CABA-4a26-B7A3-4564DAD9FAC8}.tmpcompressed
MD5:2777C72BC6777BFB72AC1734F38FE01C
SHA256:AEC53AE5C098AC2B99951C380565C0BE846A6F1CF102F5B72F22232677247BED
6412微.信_b0134013606.exeC:\Users\admin\AppData\Roaming\titan\titan.lcktext
MD5:3250320DCAF3B60F1417B7B37986C4A3
SHA256:40A7E9ACB06295D6CCC4DE8B5790AA4CEA3456F9BB1DD3E91F192BA5CA98BF97
6412微.信_b0134013606.exeC:\Program Files (x86)\Ludashi\{762104C5-AC6D-4ad8-9096-F4ADF3D23CDD}.tfbinary
MD5:EC3EBA4AF2157CF330461E4453E60DDA
SHA256:24AB7D9FB1FEC3B3C8EB38B2467A871645EEEBD69E6C18A73F31D889024F96B9
6412微.信_b0134013606.exeC:\Users\admin\AppData\Local\Temp\{B1063E22-438E-448a-BB0A-60917A9E6C12}.tfbinary
MD5:91A2860C8E500DF3FCF8F3B43FBF8928
SHA256:C34E0F39C136020E161564C2E37EED202301FC8FFB88227B9E8161C47D549007
6412微.信_b0134013606.exeC:\Users\admin\AppData\Local\Temp\{26C73D12-9202-42d1-B784-B807E2E7FDB9}.tmp\7z.dllexecutable
MD5:2888126384D873CC49AF32BBE34BB296
SHA256:ABA19501A8033495664879E09E60E4788537D387CF038FA8769E5B178BCCDCB4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
301
TCP/UDP connections
528
DNS requests
65
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6072
svchost.exe
GET
200
23.53.41.90:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6412
微.信_b0134013606.exe
GET
200
106.15.139.117:80
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=run&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=80342cb959da2233832ae840f019ccba&ex_ary[siteid]=1117&ex_ary[softid]=24070302&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=wechat.steampowere.top@@932463414009
unknown
whitelisted
6412
微.信_b0134013606.exe
POST
200
114.115.204.103:80
http://softmgr-stat.ludashi.com/downloader/soft/reportNew
unknown
whitelisted
6412
微.信_b0134013606.exe
GET
200
106.15.139.117:80
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=ldsdownstart&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=80342cb959da2233832ae840f019ccba&ex_ary[siteid]=1117&ex_ary[softid]=24070302&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=wechat.steampowere.top@@932463414009
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6412
微.信_b0134013606.exe
GET
111.7.66.168:80
http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll
unknown
whitelisted
6412
微.信_b0134013606.exe
GET
200
106.15.139.117:80
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_succ&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=80342cb959da2233832ae840f019ccba&ex_ary[method]=titan_sdk&ex_ary[time]=38172&ex_ary[url]=http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_ary[type]=3&ex_ary[siteid]=1117&ex_ary[softid]=24070302&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=wechat.steampowere.top@@932463414009
unknown
whitelisted
6412
微.信_b0134013606.exe
GET
200
106.15.139.117:80
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=ldsdownload&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=80342cb959da2233832ae840f019ccba&ex_ary[v]=15&ex_ary[siteid]=1117&ex_ary[softid]=24070302&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=wechat.steampowere.top@@932463414009
unknown
whitelisted
6412
微.信_b0134013606.exe
GET
200
106.15.139.117:80
http://s.ludashi.com/url2?pid=buysite_1117&type=xzq&action=down_start&appver=6.1024.1225.801&modver=6.1024.1225.801&mid=80342cb959da2233832ae840f019ccba&ex_ary[method]=titan_sdk&ex_ary[url]=http://cdn-hsy-titan-test.ludashi.com/inst_pkgs/ludashi/6.1024.4100.1113/ludashi_lite_sem.dll&ex_ary[type]=3&ex_ary[siteid]=1117&ex_ary[softid]=24070302&ex_ary[os]=10.0.19045&ex_ary[sr]=0&ex_ary[bit]=1&ex_ary[tagid]=wechat.steampowere.top@@932463414009
unknown
whitelisted
6412
微.信_b0134013606.exe
GET
403
61.170.79.226:80
http://cdn-titan-test.ludashi.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4712
MoUsoCoreWorker.exe
23.53.41.90:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6072
svchost.exe
23.53.41.90:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6072
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.130:443
www.bing.com
Akamai International B.V.
DE
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
6412
微.信_b0134013606.exe
49.4.55.6:80
softmgr-cfg.ludashi.com
Huawei Cloud Service data center
CN
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 23.53.41.90
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
google.com
  • 172.217.16.206
whitelisted
www.bing.com
  • 104.126.37.130
  • 104.126.37.163
  • 104.126.37.162
  • 104.126.37.171
  • 104.126.37.137
  • 104.126.37.144
  • 104.126.37.139
  • 104.126.37.155
  • 104.126.37.153
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
softmgr-cfg.ludashi.com
  • 49.4.55.6
whitelisted
softmgr-stat.ludashi.com
  • 114.115.204.103
whitelisted
s.ludashi.com
  • 106.15.139.117
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted

Threats

PID
Process
Class
Message
6412
微.信_b0134013606.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
7416
Extention.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
7416
Extention.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
微.信_b0134013606.exe