Malware analysis ICBC_TDR_UShield2_Install(2).exe Malicious activity

Add for printing

File name:	ICBC_TDR_UShield2_Install(2).exe
Full analysis:	https://app.any.run/tasks/35b10575-bbf1-4919-a73a-3c5fdea41784
Verdict:	Malicious activity
Analysis date:	December 14, 2023, 10:49:29
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	qrcode
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	288054FE43530B9EAB16F787E13CA262
SHA1:	4F66A9B41AD8E5DEB737B4583F05273F6916B7D2
SHA256:	F36CFA9854CFF33A7DE38F64187166B2DE8C723FCA9C65AB317F0CCEDBCB2712
SSDEEP:	98304:guC+oMlWZ/A1vIt2ix2GWKXHP2JVzcIFYG6dYdXq4oJIB7yZJ8brGl9wrwAF32am:pSLP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.19596 KB4534251
Adobe Acrobat Reader DC (20.013.20064)
Adobe Acrobat Reader DC (20.013.20064)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 ActiveX (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 NPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Flash Player 32 PPAPI (32.0.0.453)
Adobe Refresh Manager (1.8.0)
Adobe Refresh Manager (1.8.0)
CCleaner (6.14)
CCleaner (6.14)
FileZilla 3.65.0 (3.65.0)
FileZilla 3.65.0 (3.65.0)
Google Chrome (109.0.5414.120)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.36.31)
Google Update Helper (1.3.36.31)
Java 8 Update 271 (8.0.2710.9)
Java 8 Update 271 (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Java Auto Updater (2.8.271.9)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.175.29)
Microsoft Edge Update (1.3.175.29)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Firefox (x86 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (32-bit x86) (7.9.1)
Notepad++ (32-bit x86) (7.9.1)
PowerShell 7-x86 (7.2.11.0)
PowerShell 7-x86 (7.2.11.0)
Skype version 8.100 (8.100)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (3.0.11)
VLC media player (3.0.11)
WinRAR 5.91 (32-bit) (5.91.0)
WinRAR 5.91 (32-bit) (5.91.0)

Add for printing

MALICIOUS
- Creates a writable file in the system directory
  - ICBC_TDR_UShield2_Install(2).exe (PID: 2600)
- Drops the executable file immediately after the start
  - ICBC_TDR_UShield2_Install(2).exe (PID: 2600)
- Registers / Runs the DLL via REGSVR32.EXE
  - ICBC_TDR_UShield2_Install(2).exe (PID: 2600)
- Changes the autorun value in the registry
  - D4Ser_ICBC.exe (PID: 3856)
SUSPICIOUS
- Malware-specific behavior (creating "System.dll" in Temp)
  - ICBC_TDR_UShield2_Install(2).exe (PID: 2600)
- The process creates files with name similar to system file names
  - ICBC_TDR_UShield2_Install(2).exe (PID: 2600)
- Reads the Internet Settings
  - ICBC_TDR_UShield2_Install(2).exe (PID: 2600)
  - D4Svr_ICBC.exe (PID: 3964)
  - iexplore.exe (PID: 2984)
- Executes as Windows Service
  - D4Ser_ICBC.exe (PID: 3856)
- Application launched itself
  - D4Ser_ICBC.exe (PID: 3856)
  - iexplore.exe (PID: 2984)
- Uses REG/REGEDIT.EXE to modify registry
  - ICBC_TDR_UShield2_Install(2).exe (PID: 2600)
- Changes internet zones settings
  - ICBC_TDR_UShield2_Install(2).exe (PID: 2600)
  - D4Svr_ICBC.exe (PID: 3964)
  - iexplore.exe (PID: 2984)
- Reads settings of System Certificates
  - D4Svr_ICBC.exe (PID: 3208)
  - iexplore.exe (PID: 2984)
- Starts application with an unusual extension
  - ICBC_TDR_UShield2_Install(2).exe (PID: 2600)
- Checks Windows Trust Settings
  - iexplore.exe (PID: 2984)
- Reads security settings of Internet Explorer
  - iexplore.exe (PID: 2984)
- Adds/modifies Windows certificates
  - iexplore.exe (PID: 2984)
INFO
- Checks supported languages
  - ICBC_TDR_UShield2_Install(2).exe (PID: 2600)
  - D4Ser_ICBC.exe (PID: 2336)
  - D4Ser_ICBC.exe (PID: 3856)
  - D4Ser_ICBC.exe (PID: 2860)
  - D4Svr_ICBC.exe (PID: 3208)
  - D4Svr_ICBC.exe (PID: 3964)
  - ns6C58.tmp (PID: 644)
  - D4Tool_ICBC.exe (PID: 3436)
  - iexplore.exe (PID: 2984)
  - wmpnscfg.exe (PID: 3736)
- Reads the computer name
  - ICBC_TDR_UShield2_Install(2).exe (PID: 2600)
  - D4Ser_ICBC.exe (PID: 2336)
  - D4Ser_ICBC.exe (PID: 3856)
  - D4Ser_ICBC.exe (PID: 2860)
  - D4Svr_ICBC.exe (PID: 3964)
  - D4Svr_ICBC.exe (PID: 3208)
  - iexplore.exe (PID: 2984)
  - wmpnscfg.exe (PID: 3736)
- Create files in a temporary directory
  - ICBC_TDR_UShield2_Install(2).exe (PID: 2600)
  - iexplore.exe (PID: 2984)
- Creates files in the program directory
  - ICBC_TDR_UShield2_Install(2).exe (PID: 2600)
  - D4Svr_ICBC.exe (PID: 3208)
- Reads the machine GUID from the registry
  - D4Svr_ICBC.exe (PID: 3964)
  - D4Tool_ICBC.exe (PID: 3436)
  - iexplore.exe (PID: 2984)
- Process checks are UAC notifies on
  - iexplore.exe (PID: 2984)
- Process checks computer location settings
  - iexplore.exe (PID: 2984)
- Checks proxy server information
  - iexplore.exe (PID: 2984)
- Creates files or folders in the user directory
  - iexplore.exe (PID: 2984)
- Manual execution by a user
  - wmpnscfg.exe (PID: 3736)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2010:04:10 14:19:31+02:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	25600
InitializedDataSize:	431104
UninitializedDataSize:	16896
EntryPoint:	0x354b
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	2.0.0.128
ProductVersionNumber:	2.0.0.128
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Tendyron
FileDescription:	Tendyron 193D4 for Industrial and Commercial Bank of China
FileVersion:	2.0.0.128
LegalCopyright:	Copyright(C) 2025 Tendyron
ProductName:	Tendyron 193D4 for Industrial and Commercial Bank of China
ProductVersion:	2.0.0.128

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

644

"C:\Users\admin\AppData\Local\Temp\nsz6C7.tmp\ns6C58.tmp" C:\Program Files\ICBCEbankTools\Tendyron/res/config_ws_tdr.bat

C:\Users\admin\AppData\Local\Temp\nsz6C7.tmp\ns6C58.tmp

—

ICBC_TDR_UShield2_Install(2).exe

User:

admin

Integrity Level:

HIGH

Exit code:

3221225501

Modules

Images
c:\users\admin\appdata\local\temp\nsz6c7.tmp\ns6c58.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

1988

C:\Windows\system32\regsvr32.exe /s "C:\Windows\Downloaded Program Files\icbc_tdrusbkey.dll"

C:\Windows\System32\regsvr32.exe

—

ICBC_TDR_UShield2_Install(2).exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2300

C:\Windows\system32\regsvr32.exe /s "C:\Windows\Downloaded Program Files\icbcgm_tdrusbkey.dll"

C:\Windows\System32\regsvr32.exe

—

ICBC_TDR_UShield2_Install(2).exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft(C) Register Server

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll

2336

C:\Windows\system32/D4Ser_ICBC.exe -i -s

C:\Windows\System32\D4Ser_ICBC.exe

—

ICBC_TDR_UShield2_Install(2).exe

User:

admin

Company:

Tendyron Corporation

Integrity Level:

HIGH

Description:

中国工商银行U盾服务软件

Exit code:

Version:

1, 0, 0, 2

Modules

Images
c:\windows\system32\d4ser_icbc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

2600

"C:\Users\admin\AppData\Local\Temp\ICBC_TDR_UShield2_Install(2).exe"

C:\Users\admin\AppData\Local\Temp\ICBC_TDR_UShield2_Install(2).exe

explorer.exe

User:

admin

Company:

Tendyron

Integrity Level:

HIGH

Description:

Tendyron 193D4 for Industrial and Commercial Bank of China

Exit code:

Version:

2.0.0.128

Modules

Images
c:\users\admin\appdata\local\temp\icbc_tdr_ushield2_install(2).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll

2860

C:\Windows\system32\D4Ser_ICBC.exe -m

C:\Windows\System32\D4Ser_ICBC.exe

—

D4Ser_ICBC.exe

User:

SYSTEM

Company:

Tendyron Corporation

Integrity Level:

SYSTEM

Description:

中国工商银行U盾服务软件

Exit code:

Version:

1, 0, 0, 2

Modules

Images
c:\windows\system32\d4ser_icbc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

2984

http://www.icbc.com.cn/

C:\Program Files\Internet Explorer\iexplore.exe

D4Tool_ICBC.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll

3208

C:\Windows\system32\D4Svr_ICBC.exe installRoot

C:\Windows\System32\D4Svr_ICBC.exe

—

ICBC_TDR_UShield2_Install(2).exe

User:

admin

Company:

Tendyron Corporation

Integrity Level:

HIGH

Description:

中国工商银行证书注册程序

Exit code:

Version:

2, 5, 1, 10

Modules

Images
c:\windows\system32\d4svr_icbc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

3264

"C:\Users\admin\AppData\Local\Temp\ICBC_TDR_UShield2_Install(2).exe"

C:\Users\admin\AppData\Local\Temp\ICBC_TDR_UShield2_Install(2).exe

—

explorer.exe

User:

admin

Company:

Tendyron

Integrity Level:

MEDIUM

Description:

Tendyron 193D4 for Industrial and Commercial Bank of China

Exit code:

3221226540

Version:

2.0.0.128

Modules

Images
c:\users\admin\appdata\local\temp\icbc_tdr_ushield2_install(2).exe
c:\windows\system32\ntdll.dll

3288

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:2984 CREDAT:275457 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll

Add for printing

Total events

30 464

Read events

30 283

Write events

181

Delete events

Modification events


(PID) Process:	(2600) ICBC_TDR_UShield2_Install(2).exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2600) ICBC_TDR_UShield2_Install(2).exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2600) ICBC_TDR_UShield2_Install(2).exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2600) ICBC_TDR_UShield2_Install(2).exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2600) ICBC_TDR_UShield2_Install(2).exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Tendyron\193D4_ICBC
Operation:	write	Name:	USBKeyVersion
Value: 1.0.0.20
(PID) Process:	(2600) ICBC_TDR_UShield2_Install(2).exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Tendyron\193D4_ICBC
Operation:	write	Name:	GMUSBKeyVersion
Value: 1.0.0.18
(PID) Process:	(2600) ICBC_TDR_UShield2_Install(2).exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
Operation:	write	Name:	2500
Value: 0
(PID) Process:	(2600) ICBC_TDR_UShield2_Install(2).exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Operation:	write	Name:	2500
Value: 3
(PID) Process:	(3964) D4Svr_ICBC.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
Operation:	write	Name:	2201
Value: 3
(PID) Process:	(3964) D4Svr_ICBC.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

Add for printing

Executable files

Suspicious files

Text files

225

Unknown types

Dropped files

PID	Process	Filename		Type
2600	ICBC_TDR_UShield2_Install(2).exe	C:\Users\admin\AppData\Local\Temp\nsz6C7.tmp\System.dll		executable
		MD5:959EA64598B9A3E494C00E8FA793BE7E	SHA256:03CD57AB00236C753E7DDEEE8EE1C10839ACE7C426769982365531042E1F6F8B
2600	ICBC_TDR_UShield2_Install(2).exe	C:\Users\admin\AppData\Local\Temp\ICBC_TDR_LOGO.bmp		image
		MD5:2A86FF2C8874BE3A41BFF4BDC1AEBDA9	SHA256:A87507783431D112068EA846D368AC6F55B12C1CA12ACC1F37AB0B98598DC63C
2600	ICBC_TDR_UShield2_Install(2).exe	C:\Users\admin\AppData\Local\Temp\nsz6C7.tmp\LangDLL.dll		executable
		MD5:410A586735F45164C86BDA363AD8446F	SHA256:B15B1FC88D1B56088B2D3738D76772A91FA186A316A3E0A154358820D0FB9005
2600	ICBC_TDR_UShield2_Install(2).exe	C:\Users\admin\AppData\Local\Temp\nsz6C7.tmp\Splash.dll		executable
		MD5:0E2B7B4D19A6C9F62D04820AE502C167	SHA256:8992098E5709AD7D68A8E021B20489338507A48523D8DDA6F5244ADC33A404A4
2600	ICBC_TDR_UShield2_Install(2).exe	C:\Users\admin\AppData\Local\Temp\nsz6C7.tmp\Plugin_gsyh.dll		executable
		MD5:742F42337AD1E4CDB097EAE6D5A21C0C	SHA256:4D9DE3EBF01A1362BD318255C46DC11E02155E24BCB1149E18F76DE1726FC59A
2600	ICBC_TDR_UShield2_Install(2).exe	C:\Users\admin\AppData\Local\Temp\nsz6C7.tmp\UserInfo.dll		executable
		MD5:D16E06C5DE8FB8213A0464568ED9852F	SHA256:728472BA312AE8AF7F30D758AB473E0772477A68FCD1D2D547DAFE6D8800D531
2600	ICBC_TDR_UShield2_Install(2).exe	C:\Users\admin\AppData\Local\Temp\nsz6C7.tmp\ioSpecial.ini		text
		MD5:6F98FCDA445825382121E480A64AE24C	SHA256:689A67B30946CBE12DCE92D17207EC0488E850A806BE608E6FB174F853F86B57
2600	ICBC_TDR_UShield2_Install(2).exe	C:\Users\admin\AppData\Local\Temp\nsz6C7.tmp\modern-wizard.bmp		image
		MD5:CBE40FD2B1EC96DAEDC65DA172D90022	SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
2600	ICBC_TDR_UShield2_Install(2).exe	C:\Program Files\ICBCEbankTools\ICBCEbankPlugin\icbc_TDR_usbkey_edge.json		text
		MD5:DBFC6F71713AC53FD149835A717577D6	SHA256:4E641BF6618BA90F098C72DB05474E3F73108CB91D62274BFC17C80E1A01E321
2600	ICBC_TDR_UShield2_Install(2).exe	C:\Program Files\ICBCEbankTools\Tendyron\unInstall.exe		executable
		MD5:4BDE6C0AFEAC84EBD1D24BA6CC14DFC9	SHA256:3795052CD94D671E91C961D53617CBD03F998FCCF745984E1808807879A00925

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3288	iexplore.exe	GET	302	43.152.44.239:80	http://www.icbc.com.cn/	unknown	—	—	unknown
3288	iexplore.exe	GET	200	163.181.92.236:80	http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQoKCsJAnleSoD2J3SoeC9qbEFAqgQUFl5oZ7yWIGLuNkzUZMPpoijWY8ICEASy2xU%2Bq1l7B%2F%2BTDVjs%2FQA%3D	unknown	binary	471 b	unknown
3288	iexplore.exe	GET	200	163.181.92.236:80	http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQoKCsJAnleSoD2J3SoeC9qbEFAqgQUFl5oZ7yWIGLuNkzUZMPpoijWY8ICEA2e0lx%2BX9agdMkyYWpNvHU%3D	unknown	binary	471 b	unknown
2984	iexplore.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D	unknown	binary	314 b	unknown
3288	iexplore.exe	GET	200	43.152.44.239:80	http://v.icbc.com.cn/userfiles/Resources/ICBC/licai/information3.png	unknown	image	441 b	unknown
3288	iexplore.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA9bw6F2y3ieICDHiTyBZ7Q%3D	unknown	binary	1.47 Kb	unknown
3288	iexplore.exe	GET	200	163.181.56.214:80	http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMO%2FVnZnwG%2FBa1LlDnjADjVWaMsQQURUHjk1RwuOmlt5a8JrFYdUKXPvMCEAhYv1QpDxO33fbPE7HPhKo%3D	unknown	binary	471 b	unknown
3288	iexplore.exe	GET	200	163.181.56.214:80	http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfVfx8VW73kz4Q3jhf3m5Q%3D	unknown	binary	471 b	unknown
3288	iexplore.exe	GET	200	163.181.56.214:80	http://ocsp.dcocsp.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQMO%2FVnZnwG%2FBa1LlDnjADjVWaMsQQURUHjk1RwuOmlt5a8JrFYdUKXPvMCEAMY4pjz9EgEG7eFCGRmrtI%3D	unknown	binary	471 b	unknown
3288	iexplore.exe	GET	200	163.181.92.236:80	http://ocsp.digicert.cn/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQoKCsJAnleSoD2J3SoeC9qbEFAqgQUFl5oZ7yWIGLuNkzUZMPpoijWY8ICEAHX0qy9NcsNJjcJj0vVbFA%3D	unknown	binary	471 b	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
1080	svchost.exe	224.0.0.252:5355	—	—	—	unknown
4	System	192.168.100.255:137	—	—	—	whitelisted
2588	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
3288	iexplore.exe	43.152.44.239:80	www.icbc.com.cn	ACE	DE	unknown
3288	iexplore.exe	43.152.44.239:443	www.icbc.com.cn	ACE	DE	unknown
3288	iexplore.exe	93.184.221.240:80	ctldl.windowsupdate.com	EDGECAST	GB	whitelisted
3288	iexplore.exe	163.181.92.236:80	ocsp.digicert.cn	Zhejiang Taobao Network Co.,Ltd	DE	unknown
3288	iexplore.exe	60.247.99.191:443	act.icbc.com.cn	China Networks Inter-Exchange	CN	unknown
2984	iexplore.exe	104.126.37.137:443	www.bing.com	Akamai International B.V.	DE	unknown

DNS requests

Domain	IP	Reputation
www.icbc.com.cn	43.152.44.239	unknown
ctldl.windowsupdate.com	93.184.221.240	whitelisted
ocsp.digicert.cn	163.181.92.236 163.181.92.237 163.181.92.234 163.181.92.233 163.181.92.235 163.181.92.231 163.181.92.238 163.181.92.232	whitelisted
v.icbc.com.cn	43.152.44.239	unknown
act.icbc.com.cn	60.247.99.191	unknown
api.bing.com	13.107.5.80	whitelisted
www.bing.com	104.126.37.137 104.126.37.130 104.126.37.144 104.126.37.131 104.126.37.128 104.126.37.153 104.126.37.139 104.126.37.146 104.126.37.154	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
hit.icbc.com.cn	220.196.77.32	unknown
papi.icbc.com.cn	58.33.221.114	unknown

Threats

No threats detected

Add for printing

Process	Message
ICBC_TDR_UShield2_Install(2).exe	process name
ICBC_TDR_UShield2_Install(2).exe	OK
ICBC_TDR_UShield2_Install(2).exe	Installation prompt for ICBC U-Shield program (Tiandi Rong)
ICBC_TDR_UShield2_Install(2).exe	The following programs may affect software installation. Do you want to forcibly close them
ICBC_TDR_UShield2_Install(2).exe	process ID
ICBC_TDR_UShield2_Install(2).exe	CALCEL
ICBC_TDR_UShield2_Install(2).exe	D4Token_ICBC.dll
ICBC_TDR_UShield2_Install(2).exe	GetDllOwnerProcName::param
ICBC_TDR_UShield2_Install(2).exe	The following programs may affect software installation. Do you want to forcibly close them
ICBC_TDR_UShield2_Install(2).exe	In GetDllOwnerNameList

General Info

ICBC_TDR_UShield2_Install(2).exe

288054FE43530B9EAB16F787E13CA262

4F66A9B41AD8E5DEB737B4583F05273F6916B7D2

F36CFA9854CFF33A7DE38F64187166B2DE8C723FCA9C65AB317F0CCEDBCB2712

98304:guC+oMlWZ/A1vIt2ix2GWKXHP2JVzcIFYG6dYdXq4oJIB7yZJ8brGl9wrwAF32am:pSLP

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Creates a writable file in the system directory

Drops the executable file immediately after the start

Registers / Runs the DLL via REGSVR32.EXE

Changes the autorun value in the registry

SUSPICIOUS

Malware-specific behavior (creating "System.dll" in Temp)

The process creates files with name similar to system file names

Reads the Internet Settings

Executes as Windows Service

Application launched itself

Uses REG/REGEDIT.EXE to modify registry

Changes internet zones settings

Reads settings of System Certificates

Starts application with an unusual extension

Checks Windows Trust Settings

Reads security settings of Internet Explorer

Adds/modifies Windows certificates

INFO

Checks supported languages

Reads the computer name

Create files in a temporary directory

Creates files in the program directory

Reads the machine GUID from the registry

Process checks are UAC notifies on

Process checks computer location settings

Checks proxy server information

Creates files or folders in the user directory

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings