File name:

微信_sm60048088e.exe

Full analysis: https://app.any.run/tasks/69b739bd-4b81-435a-b554-fd5beb906f6e
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 31, 2025, 22:05:04
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
adware
loader
sainbox
rat
exploit
crypto-regex
delphi
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

60F4DF7A25E8E851A7201AA2E72FEE4D

SHA1:

62B243FFCA40383D7D21B44552AC105262527133

SHA256:

F2820A99972184DF9E0CE022E97DA179F6AC6BBBDE7AA4F8EB95A5DB34884538

SSDEEP:

98304:rpqixpfV5VCNXs4ujlWbAuMow2gm8hT5JQdsxcyrirB+BpNn84aJjgbKMln+AwaM:rfxcyE6drB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • ADWARE has been detected (SURICATA)

      • 微信_sm60048088e.exe (PID: 7816)

    • Changes the autorun value in the registry

      • 微信_sm60048088e.exe (PID: 7816)

    • SAINBOX has been detected

      • kxemain.exe (PID: 7248)

    • EXPLOIT has been detected (SURICATA)

      • kxemain.exe (PID: 7248)
      • kxescore.exe (PID: 3192)

  • SUSPICIOUS

    • Process requests binary or script from the Internet

      • 微信_sm60048088e.exe (PID: 7816)
      • ksoftmgr.exe (PID: 4408)
      • kxetray.exe (PID: 5988)
      • kxemain.exe (PID: 7248)
      • ksoftmgr.exe (PID: 1532)
      • kxemain.exe (PID: 6396)

    • There is functionality for taking screenshot (YARA)

      • 微信_sm60048088e.exe (PID: 7816)
      • ksoftmgr.exe (PID: 1532)
      • kxetray.exe (PID: 5988)

    • Potential Corporate Privacy Violation

      • 微信_sm60048088e.exe (PID: 7816)
      • ksoftmgr.exe (PID: 1532)

    • Process drops legitimate windows executable

      • 微信_sm60048088e.exe (PID: 7816)
      • kxemain.exe (PID: 7248)
      • kxemain.exe (PID: 9812)

    • Access to an unwanted program domain was detected

      • 微信_sm60048088e.exe (PID: 7816)

    • Reads security settings of Internet Explorer

      • 微信_sm60048088e.exe (PID: 7816)
      • ksoftmgr.exe (PID: 4408)
      • kxetray.exe (PID: 5988)
      • kxescore.exe (PID: 3192)
      • ksoftmgr.exe (PID: 1532)

    • Executable content was dropped or overwritten

      • 微信_sm60048088e.exe (PID: 7816)
      • kxemain.exe (PID: 7248)
      • kxetray.exe (PID: 5988)
      • kwsprotect64.exe (PID: 4424)
      • kxescore.exe (PID: 3192)
      • WeChatSetup-3.9.12.exe (PID: 9708)
      • kxemain.exe (PID: 9228)
      • kxemain.exe (PID: 9440)
      • kxemain.exe (PID: 9812)
      • kxemain.exe (PID: 9428)

    • Creates files in the driver directory

      • 微信_sm60048088e.exe (PID: 7816)

    • Drops a system driver (possible attempt to evade defenses)

      • 微信_sm60048088e.exe (PID: 7816)

    • The process verifies whether the antivirus software is installed

      • 微信_sm60048088e.exe (PID: 7816)
      • kavlog2.exe (PID: 2140)
      • ksoftmgr.exe (PID: 4408)
      • ksoftmgr.exe (PID: 1532)
      • kxemain.exe (PID: 7248)
      • kxetray.exe (PID: 5988)
      • kxescore.exe (PID: 3192)

    • Creates/Modifies COM task schedule object

      • 微信_sm60048088e.exe (PID: 7816)

    • Write to the desktop.ini file (may be used to cloak folders)

      • 微信_sm60048088e.exe (PID: 7816)

    • Reads Internet Explorer settings

      • ksoftmgr.exe (PID: 4408)

    • The process creates files with name similar to system file names

      • 微信_sm60048088e.exe (PID: 7816)

    • The process drops C-runtime libraries

      • 微信_sm60048088e.exe (PID: 7816)
      • kxemain.exe (PID: 7248)
      • kxemain.exe (PID: 9812)

    • Creates a software uninstall entry

      • 微信_sm60048088e.exe (PID: 7816)

    • Executes as Windows Service

      • kxescore.exe (PID: 3192)
      • kxewsc.exe (PID: 6516)

    • Uses NETSH.EXE to add a firewall rule or allowed programs

      • ksoftmgr.exe (PID: 1532)

    • Connects to the server without a host name

      • ksoftmgr.exe (PID: 1532)
      • kxetray.exe (PID: 5988)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • WeChatSetup-3.9.12.exe (PID: 9708)

    • Application launched itself

      • knewvip.exe (PID: 7616)

    • Executes application which crashes

      • msedge.exe (PID: 10136)

    • Found regular expressions for crypto-addresses (YARA)

      • kxetray.exe (PID: 5988)

    • Reads Microsoft Outlook installation path

      • ksoftmgr.exe (PID: 4408)

  • INFO

    • Create files in a temporary directory

      • 微信_sm60048088e.exe (PID: 7816)

    • Reads the computer name

      • 微信_sm60048088e.exe (PID: 7816)
      • InstallHelper.exe (PID: 7372)
      • ksoftmgr.exe (PID: 4408)
      • ksoftmgr.exe (PID: 1532)
      • kxetray.exe (PID: 5988)
      • kxescore.exe (PID: 3192)
      • kxemain.exe (PID: 7248)

    • Reads the machine GUID from the registry

      • 微信_sm60048088e.exe (PID: 7816)
      • ksoftmgr.exe (PID: 1532)
      • kxescore.exe (PID: 3192)

    • Checks supported languages

      • 微信_sm60048088e.exe (PID: 7816)
      • InstallHelper.exe (PID: 7372)
      • kavlog2.exe (PID: 2140)
      • ksoftmgr.exe (PID: 4408)
      • ksoftmgr.exe (PID: 1532)
      • kxetray.exe (PID: 5988)
      • kxescore.exe (PID: 3192)
      • kxemain.exe (PID: 7248)

    • Creates files in the program directory

      • 微信_sm60048088e.exe (PID: 7816)
      • ksoftmgr.exe (PID: 4408)
      • ksoftmgr.exe (PID: 1532)
      • kxetray.exe (PID: 5988)
      • kxemain.exe (PID: 7248)
      • kxescore.exe (PID: 3192)

    • Process checks whether UAC notifications are on

      • 微信_sm60048088e.exe (PID: 7816)

    • The sample compiled with english language support

      • 微信_sm60048088e.exe (PID: 7816)
      • kxemain.exe (PID: 7248)
      • kxemain.exe (PID: 9228)
      • kxemain.exe (PID: 9812)
      • kxemain.exe (PID: 9428)
      • WeChatSetup-3.9.12.exe (PID: 9708)

    • Checks proxy server information

      • 微信_sm60048088e.exe (PID: 7816)
      • ksoftmgr.exe (PID: 4408)
      • ksoftmgr.exe (PID: 1532)

    • Creates files or folders in the user directory

      • 微信_sm60048088e.exe (PID: 7816)
      • ksoftmgr.exe (PID: 4408)
      • ksoftmgr.exe (PID: 1532)
      • kxetray.exe (PID: 5988)

    • Process checks computer location settings

      • 微信_sm60048088e.exe (PID: 7816)
      • kxetray.exe (PID: 5988)
      • ksoftmgr.exe (PID: 1532)

    • The sample compiled with chinese language support

      • 微信_sm60048088e.exe (PID: 7816)
      • WeChatSetup-3.9.12.exe (PID: 9708)

    • Launch of the file from Registry key

      • 微信_sm60048088e.exe (PID: 7816)

    • Manual execution by a user

      • msedge.exe (PID: 8824)

    • Application launched itself

      • msedge.exe (PID: 8908)
      • msedge.exe (PID: 8824)

    • Compiled with Borland Delphi (YARA)

      • kxetray.exe (PID: 5988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1970:02:16 18:59:12+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 1687552
InitializedDataSize: 2351104
UninitializedDataSize: -
EntryPoint: 0xa4a18
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2023.11.15.620
ProductVersionNumber: 9.3.0.2524
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Kingsoft Corporation
FileDescription: Kingsoft Security - 安装程序
FileVersion: 2023,11,09,2524
InternalName: KInstallTool
LegalCopyright: Copyright (C) 1998-2023 Kingsoft Corporation
OriginalFileName: -
ProductName: Kingsoft Internet Security
ProductVersion: 9,3,0,2524
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
213
Monitored processes
74
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #ADWARE 微信_sm60048088e.exe installhelper.exe slui.exe kavlog2.exe no specs ksoftmgr.exe ksoftmgr.exe kxetray.exe #EXPLOIT kxescore.exe #SAINBOX kxemain.exe netsh.exe no specs conhost.exe no specs knewvip.exe no specs kxecenter.exe no specs kismain.exe no specs kxetray.exe no specs kxemain.exe ksoftmgr.exe no specs kupdata.exe kwsprotect64.exe kxewsc.exe no specs kxecenter.exe no specs kxecenter.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs kwsprotect64.exe no specs kwsprotect64.exe no specs wechatsetup-3.9.12.exe msedge.exe no specs msedge.exe no specs knewvip.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs kwsprotect64.exe no specs kwsprotect64.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs werfault.exe kxemain.exe identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs kxemain.exe kxemain.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs kupdata.exe no specs kxecenter.exe kxemain.exe svchost.exe 微信_sm60048088e.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5444 --field-trial-handle=2288,i,2632568717334694588,3873026011811090950,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
856"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=4644 --field-trial-handle=2288,i,2632568717334694588,3873026011811090950,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1532"c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe" -install:60048088 -src:106 -lenovoodd:lSuXL58=C:\Program Files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe
微信_sm60048088e.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Security - 软件管家
Version:
2024,11,11,2927
Modules
Images
c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1560"c:\program files (x86)\kingsoft\kingsoft antivirus\kismain.exe" /ksoftmgr /create_virtualdiskC:\Program Files (x86)\kingsoft\kingsoft antivirus\kismain.exekxecenter.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Security - Kingsoft KIS Main
Exit code:
0
Version:
2022,07,19,1839
Modules
Images
c:\program files (x86)\kingsoft\kingsoft antivirus\kismain.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2140"c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe" -installC:\Program Files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe微信_sm60048088e.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Security - KXEngine KeventLog3
Exit code:
0
Version:
2023,01,30,2217
Modules
Images
c:\program files (x86)\kingsoft\kingsoft antivirus\kavlog2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3192"c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe" /service kxescoreC:\Program Files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
services.exe
User:
SYSTEM
Company:
Kingsoft Corporation
Integrity Level:
SYSTEM
Description:
Kingsoft Security - 防御服务
Version:
2024,09,03,2853
Modules
Images
c:\program files (x86)\kingsoft\kingsoft antivirus\kxescore.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4028\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenetsh.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4408"c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe" -preloadC:\Program Files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe
微信_sm60048088e.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Security - 软件管家
Exit code:
0
Version:
2024,11,11,2927
Modules
Images
c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4424"kwsprotect64.exe" (null)C:\Program Files (x86)\kingsoft\kingsoft antivirus\kwsprotect64.exe
kxetray.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Security - Kingsoft Web-Protection Module
Version:
2024,05,15,2719
Modules
Images
c:\program files (x86)\kingsoft\kingsoft antivirus\kwsprotect64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
119 709
Read events
119 138
Write events
346
Delete events
225

Modification events

(PID) Process:(7816) 微信_sm60048088e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:writeName:idex
Value:
717f0febfd791c8a3d5466b54dd9d727
(PID) Process:(7816) 微信_sm60048088e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:writeName:idno
Value:
1
(PID) Process:(7816) 微信_sm60048088e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}
Operation:writeName:did
Value:
544CE2F7AD2086089700061031EBEE5C
(PID) Process:(7816) 微信_sm60048088e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}
Operation:writeName:PacketPath_226_716_1
Value:
C:\Users\admin\AppData\Local\Temp\duba_u33529239_sv1_94_25.dll
(PID) Process:(7816) 微信_sm60048088e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:writeName:svrid
Value:
(PID) Process:(7816) 微信_sm60048088e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:writeName:svrid
Value:
zy9efmmdn5a28y5nk4b9enlu4edf
(PID) Process:(7816) 微信_sm60048088e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7816) 微信_sm60048088e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7816) 微信_sm60048088e.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7816) 微信_sm60048088e.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\kingsoft\installfail
Operation:writeName:calltime
Value:
Executable files
483
Suspicious files
979
Text files
597
Unknown types
0

Dropped files

PID
Process
Filename
Type
7816微信_sm60048088e.exeC:\Users\admin\AppData\Local\Temp\install_res\soft.icoimage
MD5:F09986091A0DA5D72A57248E12A9AE4E
SHA256:20C293C66182884940954A5EE7A37937B3FBBC90BDB0FCEE714B66BEE2518671
7816微信_sm60048088e.exeC:\Users\admin\AppData\Local\Temp\install_res\backup_0317\soft.icoimage
MD5:F09986091A0DA5D72A57248E12A9AE4E
SHA256:20C293C66182884940954A5EE7A37937B3FBBC90BDB0FCEE714B66BEE2518671
7816微信_sm60048088e.exeC:\Users\admin\AppData\Local\Temp\duba_u33529239_sv1_94_25.dll
MD5:
SHA256:
7816微信_sm60048088e.exeC:\Users\admin\AppData\Local\Temp\install_res\100.pngimage
MD5:A64D7F2A825F5547182E9E3EE25B4544
SHA256:E78B678846C177786E70E29D5111359D4AFF20D9AC5935FAD2BE87B17D7F9FC9
7816微信_sm60048088e.exeC:\Users\admin\AppData\Local\Temp\install_res\backup_0317\6002.xmlhtml
MD5:CEB654AE6F9019CB8866E23D54AB8B60
SHA256:906A471AD7BF885619BBE1C3F62777DB0C4DBCEC76233E129E44E68A3AB0A4C0
7816微信_sm60048088e.exeC:\Users\admin\AppData\Local\Temp\install_res\6002.xmlhtml
MD5:20C787ADF90C23292E729088D89D349A
SHA256:5C2E5A79AE6042C995C34DC5EB6BA358BE2A61633DA5E2DB55CFF32772AD76DA
7816微信_sm60048088e.exeC:\Users\admin\AppData\Local\Temp\install_res\backup_0317\installconfig.initext
MD5:D74F0AEC2D7B7E505E346D212EEAFB4A
SHA256:BB224EF78FA69BFEAB058765D4CBB22FA30C0B8C5656E09AC2EA875A2C73D6AE
7816微信_sm60048088e.exeC:\Users\admin\AppData\Local\Temp\install_res\backup_0317\soft.ico_image
MD5:6F2B23D493B22D7CB414C9BCB69903CB
SHA256:4574F94F61954AC1D9B57E5254E8217DC9CA9BE6DF2A6046CDAB8FFFFD7AD8ED
7816微信_sm60048088e.exeC:\Users\admin\AppData\Local\Temp\jcqgx.initext
MD5:478B13BDC92E7D49E1E4A9B9C496FE9A
SHA256:7B8DFFD78EB43C4FA4472104DFC03C787196E5E6D852189F0F5BC0DC816E4F79
7816微信_sm60048088e.exeC:\Users\admin\AppData\Local\Temp\install_res\backup_0317\100.pngimage
MD5:A64D7F2A825F5547182E9E3EE25B4544
SHA256:E78B678846C177786E70E29D5111359D4AFF20D9AC5935FAD2BE87B17D7F9FC9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
750
TCP/UDP connections
837
DNS requests
104
Threats
153

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7816
微信_sm60048088e.exe
POST
200
121.37.247.153:80
http://infoc0.duba.net/c/
unknown
whitelisted
7816
微信_sm60048088e.exe
GET
200
218.12.76.157:80
http://2398.35go.net/defend/o1/jcqgx.ini
unknown
whitelisted
7816
微信_sm60048088e.exe
POST
200
121.37.247.153:80
http://infoc0.duba.net/c/
unknown
whitelisted
7816
微信_sm60048088e.exe
POST
200
121.37.247.153:80
http://infoc0.duba.net/c/
unknown
whitelisted
7816
微信_sm60048088e.exe
GET
200
36.41.168.165:80
http://softmgr.duba.net/softmgr_v2/softdetail/60048088.json?ver=1
unknown
whitelisted
7816
微信_sm60048088e.exe
GET
200
218.12.76.155:80
http://config.i.duba.net/seminstall/226/716.xml?time=1748729118
unknown
whitelisted
7816
微信_sm60048088e.exe
POST
200
121.37.247.153:80
http://infoc0.duba.net/c/
unknown
whitelisted
7816
微信_sm60048088e.exe
POST
200
121.37.247.153:80
http://infoc0.duba.net/c/
unknown
whitelisted
7816
微信_sm60048088e.exe
POST
200
121.37.247.153:80
http://infoc0.duba.net/c/
unknown
whitelisted
7816
微信_sm60048088e.exe
POST
200
121.37.247.153:80
http://infoc0.duba.net/c/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7600
svchost.exe
51.104.136.2:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
20.190.159.129:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
7816
微信_sm60048088e.exe
218.12.76.157:80
2398.35go.net
CHINA UNICOM China169 Backbone
CN
whitelisted
7816
微信_sm60048088e.exe
121.37.247.153:80
infoc0.duba.net
Huawei Cloud Service data center
CN
whitelisted
7816
微信_sm60048088e.exe
36.41.168.165:80
softmgr.duba.net
CHINANET SHAANXI province Cloud Base network
CN
whitelisted
7816
微信_sm60048088e.exe
114.132.191.224:443
softmgr-softsem-srv.jinshanapi.com
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
7816
微信_sm60048088e.exe
218.12.76.155:80
2398.35go.net
CHINA UNICOM China169 Backbone
CN
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
2398.35go.net
  • 218.12.76.157
  • 218.12.76.152
  • 218.12.76.156
  • 218.12.76.150
  • 218.12.76.155
  • 218.12.76.154
  • 218.12.76.159
  • 218.12.76.158
whitelisted
infoc0.duba.net
  • 121.37.247.153
  • 139.9.37.26
  • 139.9.43.42
  • 139.9.43.12
  • 139.9.36.178
  • 139.9.36.107
  • 139.9.44.129
  • 139.9.45.227
  • 139.9.35.91
  • 139.9.36.171
  • 139.9.39.206
  • 139.9.43.15
  • 139.9.45.223
  • 139.9.46.163
  • 124.71.209.131
whitelisted
softmgr.duba.net
  • 36.41.168.165
  • 120.233.178.91
  • 218.12.76.168
  • 36.41.168.170
  • 221.194.141.170
  • 221.194.141.164
  • 120.233.178.92
whitelisted
softmgr-softsem-srv.jinshanapi.com
  • 114.132.191.224
unknown
config.i.duba.net
  • 218.12.76.155
  • 218.12.76.150
  • 218.12.76.152
  • 218.12.76.157
  • 218.12.76.159
  • 218.12.76.156
  • 218.12.76.154
  • 218.12.76.158
whitelisted
cd001.www.duba.net
  • 218.12.76.156
  • 120.52.95.245
  • 218.12.76.152
  • 120.52.95.247
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted

Threats

PID
Process
Class
Message
7816
微信_sm60048088e.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7816
微信_sm60048088e.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] PUP.Win32/KingSoft.E HTTP POST Request
7816
微信_sm60048088e.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7816
微信_sm60048088e.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7816
微信_sm60048088e.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] PUP.Win32/KingSoft.E HTTP POST Request
7816
微信_sm60048088e.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7816
微信_sm60048088e.exe
Possibly Unwanted Program Detected
ADWARE [ANY.RUN] PUP.Win32/KingSoft.E HTTP POST Request
7816
微信_sm60048088e.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7816
微信_sm60048088e.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
7816
微信_sm60048088e.exe
Potentially Bad Traffic
ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
Process
Message
kxescore.exe
c:\program files (x86)\kingsoft\kingsoft antivirus\ksapi.dll
kxescore.exe
c:\program files (x86)\kingsoft\kingsoft antivirus\ksapi.dll
kxescore.exe
[magic cube] loading file : c:\program files (x86)\kingsoft\kingsoft antivirus\data\switch_record.dat
kxescore.exe
[magic cube] local cache file not exist,reset data
kxescore.exe
[magic cube] loading file : c:\program files (x86)\kingsoft\kingsoft antivirus\data\switch_record.dat
kxescore.exe
[magic cube] already init
kxescore.exe
[magic cube] local cache file not exist,reset data
kxescore.exe
[magic cube] loading file : c:\program files (x86)\kingsoft\kingsoft antivirus\data\abtest_record.dat
kxescore.exe
[magic cube] already init
kxescore.exe
[magic cube] local cache file not exist,reset data
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
微信_sm60048088e.exe