File name:

3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7

Full analysis: https://app.any.run/tasks/182ac4d0-c7b8-4440-9573-f01680fa91a5
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: August 02, 2021, 10:32:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
trojan
loader
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

4FC9C9C14E14EEF4757D11F376211E79

SHA1:

AF65F450962D11F22FF29CFAC42627E312D15091

SHA256:

3E50AC6B901F3E7BBE4A241053FB01FF030657C6F6D407E8333FE377864A31E7

SSDEEP:

24576:eJWJ+4SaJPCK2v5WYpwUvuEak6qDBZj8aBQL0VCm7jWYXVd6:eJWQjaJPKcct9pdWYXVd6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to CnC server

      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)
      • krecommend.exe (PID: 2940)

    • Drops executable file immediately after starts

      • DDPicSetup@2001.exe (PID: 2856)
      • LDSGameMasterInstRoad_211501.exe (PID: 2612)
      • ldsgamemaster.exe (PID: 1560)
      • k52zip20210514_300_10.exe (PID: 2096)
      • 360DesktopLite_3112698.exe (PID: 2276)
      • 360DesktopLite_3112698.tmp (PID: 2612)

    • Application was dropped or rewritten from another process

      • Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe (PID: 2080)
      • LDSGameMasterInstRoad_211501.exe (PID: 2612)
      • ldsgamemaster.exe (PID: 1560)
      • DDPicSetup@2001.exe (PID: 2856)
      • SoftPhotoPlus.exe (PID: 2312)
      • k52zip20210514_300_10.exe (PID: 2096)
      • kzipservice.exe (PID: 912)
      • kzip_casual64.exe (PID: 2528)
      • kzip_main.exe (PID: 2700)
      • krecommend.exe (PID: 2940)
      • 360DesktopLite_3112698.exe (PID: 2276)
      • 360DesktopService.exe (PID: 2232)
      • 360DesktopService64.exe (PID: 2508)
      • 360DesktopLite.exe (PID: 1496)
      • 360DeskAna.exe (PID: 3444)
      • 360DesktopService64.exe (PID: 3276)
      • 360DesktopLite64.exe (PID: 3764)
      • kzip_main.exe (PID: 3504)
      • LdsHelper.exe (PID: 704)
      • fpprotect.exe (PID: 2328)
      • fastpdf_ext_process.exe (PID: 2408)
      • fastpdf_ext_process64.exe (PID: 3816)
      • fastpdf.exe (PID: 3584)
      • fastpdf_ext_process.exe (PID: 3564)
      • fastpdf.exe (PID: 3132)
      • ComputerZ14.exe (PID: 2840)
      • fastpdf.exe (PID: 4004)
      • kavlog2.exe (PID: 2116)
      • kxetray.exe (PID: 3636)
      • kislive.exe (PID: 3736)
      • kxescore.exe (PID: 2452)
      • kxescore.exe (PID: 2212)
      • knewvip.exe (PID: 4004)
      • kismain.exe (PID: 3396)
      • kxetray.exe (PID: 3532)
      • kxecenter.exe (PID: 420)
      • kwsprotect64.exe (PID: 3312)
      • ksoftmgr.exe (PID: 1872)

    • Loads dropped or rewritten executable

      • SoftPhotoPlus.exe (PID: 2312)
      • ldsgamemaster.exe (PID: 1560)
      • Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe (PID: 2080)
      • LDSGameMasterInstRoad_211501.exe (PID: 2612)
      • kzipservice.exe (PID: 912)
      • kzip_casual64.exe (PID: 2528)
      • kzip_main.exe (PID: 2700)
      • krecommend.exe (PID: 2940)
      • 360DesktopLite.exe (PID: 1496)
      • 360DeskAna.exe (PID: 3444)
      • 360DesktopLite64.exe (PID: 3764)
      • kzip_main.exe (PID: 3504)
      • jMtAaEiLtQmGjYdV.exe (PID: 3316)
      • svchost.exe (PID: 3356)
      • LdsHelper.exe (PID: 704)
      • fpprotect.exe (PID: 2328)
      • fastpdf_ext_process.exe (PID: 2408)
      • fastpdf.exe (PID: 3132)
      • fastpdf.exe (PID: 3584)
      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)
      • ComputerZ14.exe (PID: 2840)
      • fastpdf_ext_process.exe (PID: 3564)
      • fastpdf.exe (PID: 4004)
      • ksoftmgr.exe (PID: 1872)
      • kavlog2.exe (PID: 2116)
      • kxetray.exe (PID: 3636)
      • kislive.exe (PID: 3736)
      • kxescore.exe (PID: 2452)
      • kxescore.exe (PID: 2212)
      • knewvip.exe (PID: 4004)
      • kismain.exe (PID: 3396)
      • kxetray.exe (PID: 3532)
      • kxecenter.exe (PID: 420)
      • kwsprotect64.exe (PID: 3312)

    • Changes settings of System certificates

      • ldsgamemaster.exe (PID: 1560)
      • Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe (PID: 2080)
      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)

    • Actions looks like stealing of personal data

      • k52zip20210514_300_10.exe (PID: 2096)
      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)
      • kxetray.exe (PID: 3636)
      • kxescore.exe (PID: 2212)

    • Changes the autorun value in the registry

      • 360DesktopLite64.exe (PID: 3764)
      • krecommend.exe (PID: 2940)

    • Creates or modifies windows services

      • ldsgamemaster.exe (PID: 1560)

    • Steals credentials from Web Browsers

      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)
      • kxetray.exe (PID: 3636)

  • SUSPICIOUS

    • Reads the computer name

      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)
      • Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe (PID: 2080)
      • DDPicSetup@2001.exe (PID: 2856)
      • LDSGameMasterInstRoad_211501.exe (PID: 2612)
      • SoftPhotoPlus.exe (PID: 2312)
      • ldsgamemaster.exe (PID: 1560)
      • k52zip20210514_300_10.exe (PID: 2096)
      • kzipservice.exe (PID: 912)
      • kzip_casual64.exe (PID: 2528)
      • kzip_main.exe (PID: 2700)
      • FlashUtil64_27_0_0_187_ActiveX.exe (PID: 2844)
      • krecommend.exe (PID: 2940)
      • 360DesktopLite_3112698.tmp (PID: 2612)
      • 360DesktopService64.exe (PID: 3276)
      • 360DesktopLite.exe (PID: 1496)
      • 360DesktopService64.exe (PID: 2508)
      • 360DesktopService.exe (PID: 2232)
      • 360DesktopLite64.exe (PID: 3764)
      • 360DeskAna.exe (PID: 3444)
      • kzip_main.exe (PID: 3504)
      • jMtAaEiLtQmGjYdV.exe (PID: 3316)
      • JGSEM_PDF_ver21042318.520.1.1.1.exe (PID: 524)
      • LdsHelper.exe (PID: 704)
      • fpprotect.exe (PID: 2328)
      • fastpdf_ext_process64.exe (PID: 3816)
      • fastpdf.exe (PID: 3132)
      • fastpdf.exe (PID: 3584)
      • ComputerZ14.exe (PID: 2840)
      • fastpdf.exe (PID: 4004)
      • ksoftmgr.exe (PID: 1872)
      • kislive.exe (PID: 3736)
      • kxescore.exe (PID: 2212)
      • kxescore.exe (PID: 2452)
      • kxetray.exe (PID: 3636)
      • kismain.exe (PID: 3396)
      • kxetray.exe (PID: 3532)
      • kxecenter.exe (PID: 420)

    • Creates files in the user directory

      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)
      • DDPicSetup@2001.exe (PID: 2856)
      • FlashUtil64_27_0_0_187_ActiveX.exe (PID: 2844)
      • 360DesktopLite_3112698.tmp (PID: 2612)
      • 360DesktopLite64.exe (PID: 3764)
      • ldsgamemaster.exe (PID: 1560)
      • ComputerZ14.exe (PID: 2840)
      • kxetray.exe (PID: 3636)

    • Executable content was dropped or overwritten

      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)
      • DDPicSetup@2001.exe (PID: 2856)
      • LDSGameMasterInstRoad_211501.exe (PID: 2612)
      • Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe (PID: 2080)
      • ldsgamemaster.exe (PID: 1560)
      • k52zip20210514_300_10.exe (PID: 2096)
      • 360DesktopLite_3112698.exe (PID: 2276)
      • 360DesktopLite_3112698.tmp (PID: 2612)
      • krecommend.exe (PID: 2940)
      • JGSEM_PDF_ver21042318.520.1.1.1.exe (PID: 524)
      • kxescore.exe (PID: 2212)

    • Searches for installed software

      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)
      • ldsgamemaster.exe (PID: 1560)
      • fastpdf_ext_process.exe (PID: 2408)
      • fastpdf_ext_process64.exe (PID: 3816)
      • fastpdf_ext_process.exe (PID: 3564)
      • kxescore.exe (PID: 2212)
      • kxetray.exe (PID: 3636)

    • Drops a file with a compile date too recent

      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)
      • Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe (PID: 2080)
      • ldsgamemaster.exe (PID: 1560)
      • 360DesktopLite_3112698.tmp (PID: 2612)
      • kxetray.exe (PID: 3636)

    • Checks supported languages

      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)
      • Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe (PID: 2080)
      • DDPicSetup@2001.exe (PID: 2856)
      • SoftPhotoPlus.exe (PID: 2312)
      • LDSGameMasterInstRoad_211501.exe (PID: 2612)
      • ldsgamemaster.exe (PID: 1560)
      • k52zip20210514_300_10.exe (PID: 2096)
      • kzipservice.exe (PID: 912)
      • kzip_casual64.exe (PID: 2528)
      • kzip_main.exe (PID: 2700)
      • krecommend.exe (PID: 2940)
      • FlashUtil64_27_0_0_187_ActiveX.exe (PID: 2844)
      • 360DesktopLite_3112698.exe (PID: 2276)
      • 360DesktopLite_3112698.tmp (PID: 2612)
      • 360DesktopService.exe (PID: 2232)
      • 360DesktopLite.exe (PID: 1496)
      • 360DesktopService64.exe (PID: 3276)
      • 360DesktopService64.exe (PID: 2508)
      • 360DeskAna.exe (PID: 3444)
      • 360DesktopLite64.exe (PID: 3764)
      • kzip_main.exe (PID: 3504)
      • jMtAaEiLtQmGjYdV.exe (PID: 3316)
      • JGSEM_PDF_ver21042318.520.1.1.1.exe (PID: 524)
      • LdsHelper.exe (PID: 704)
      • fpprotect.exe (PID: 2328)
      • fastpdf_ext_process.exe (PID: 2408)
      • fastpdf_ext_process64.exe (PID: 3816)
      • fastpdf.exe (PID: 3132)
      • fastpdf_ext_process.exe (PID: 3564)
      • fastpdf.exe (PID: 3584)
      • ComputerZ14.exe (PID: 2840)
      • fastpdf.exe (PID: 4004)
      • kavlog2.exe (PID: 2116)
      • ksoftmgr.exe (PID: 1872)
      • kxetray.exe (PID: 3636)
      • kxescore.exe (PID: 2452)
      • kxescore.exe (PID: 2212)
      • kislive.exe (PID: 3736)
      • knewvip.exe (PID: 4004)
      • kismain.exe (PID: 3396)
      • kxecenter.exe (PID: 420)
      • kxetray.exe (PID: 3532)
      • kwsprotect64.exe (PID: 3312)

    • Creates a software uninstall entry

      • DDPicSetup@2001.exe (PID: 2856)
      • k52zip20210514_300_10.exe (PID: 2096)
      • JGSEM_PDF_ver21042318.520.1.1.1.exe (PID: 524)
      • krecommend.exe (PID: 2940)
      • kxetray.exe (PID: 3636)

    • Drops a file that was compiled in debug mode

      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)
      • DDPicSetup@2001.exe (PID: 2856)
      • LDSGameMasterInstRoad_211501.exe (PID: 2612)
      • Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe (PID: 2080)
      • k52zip20210514_300_10.exe (PID: 2096)
      • ldsgamemaster.exe (PID: 1560)
      • 360DesktopLite_3112698.tmp (PID: 2612)
      • krecommend.exe (PID: 2940)
      • JGSEM_PDF_ver21042318.520.1.1.1.exe (PID: 524)
      • kxescore.exe (PID: 2212)

    • Drops a file with too old compile date

      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)
      • k52zip20210514_300_10.exe (PID: 2096)
      • krecommend.exe (PID: 2940)
      • ldsgamemaster.exe (PID: 1560)
      • JGSEM_PDF_ver21042318.520.1.1.1.exe (PID: 524)

    • Creates files in the program directory

      • k52zip20210514_300_10.exe (PID: 2096)
      • krecommend.exe (PID: 2940)
      • JGSEM_PDF_ver21042318.520.1.1.1.exe (PID: 524)
      • fastpdf.exe (PID: 3132)
      • ldsgamemaster.exe (PID: 1560)
      • kxescore.exe (PID: 2452)
      • kislive.exe (PID: 3736)
      • kxetray.exe (PID: 3636)
      • kismain.exe (PID: 3396)
      • kxescore.exe (PID: 2212)
      • kxecenter.exe (PID: 420)
      • kwsprotect64.exe (PID: 3312)

    • Adds / modifies Windows certificates

      • ldsgamemaster.exe (PID: 1560)
      • Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe (PID: 2080)
      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)

    • Creates a directory in Program Files

      • k52zip20210514_300_10.exe (PID: 2096)
      • kzipservice.exe (PID: 912)
      • krecommend.exe (PID: 2940)
      • ldsgamemaster.exe (PID: 1560)
      • JGSEM_PDF_ver21042318.520.1.1.1.exe (PID: 524)
      • fpprotect.exe (PID: 2328)
      • kxetray.exe (PID: 3636)
      • kxescore.exe (PID: 2452)
      • kxescore.exe (PID: 2212)
      • kislive.exe (PID: 3736)
      • kwsprotect64.exe (PID: 3312)

    • Executed as Windows Service

      • kzipservice.exe (PID: 912)
      • 360DesktopService64.exe (PID: 3276)
      • fpprotect.exe (PID: 2328)
      • kxescore.exe (PID: 2212)

    • Reads CPU info

      • k52zip20210514_300_10.exe (PID: 2096)
      • kxescore.exe (PID: 2212)
      • kxetray.exe (PID: 3636)

    • Reads the date of Windows installation

      • k52zip20210514_300_10.exe (PID: 2096)

    • Reads Microsoft Outlook installation path

      • IEXPLORE.EXE (PID: 2296)
      • krecommend.exe (PID: 2940)
      • ksoftmgr.exe (PID: 1872)

    • Creates/Modifies COM task schedule object

      • kzip_casual64.exe (PID: 2528)
      • fastpdf_ext_process.exe (PID: 2408)
      • fastpdf_ext_process64.exe (PID: 3816)
      • fastpdf_ext_process.exe (PID: 3564)
      • krecommend.exe (PID: 2940)
      • kxescore.exe (PID: 2212)
      • kxetray.exe (PID: 3636)

    • Changes default file association

      • kzip_main.exe (PID: 2700)
      • fastpdf_ext_process.exe (PID: 2408)
      • fastpdf.exe (PID: 3584)
      • kxetray.exe (PID: 3636)

    • Executed via COM

      • FlashUtil64_27_0_0_187_ActiveX.exe (PID: 2844)

    • Changes IE settings (feature browser emulation)

      • krecommend.exe (PID: 2940)

    • Reads internet explorer settings

      • krecommend.exe (PID: 2940)
      • ksoftmgr.exe (PID: 1872)

    • Uses TASKKILL.EXE to kill process

      • 360DesktopLite_3112698.tmp (PID: 2612)

    • Reads Windows owner or organization settings

      • 360DesktopLite_3112698.tmp (PID: 2612)

    • Reads the Windows organization settings

      • 360DesktopLite_3112698.tmp (PID: 2612)

    • Creates files in the Windows directory

      • svchost.exe (PID: 3356)
      • krecommend.exe (PID: 2940)
      • kavlog2.exe (PID: 2116)
      • kxescore.exe (PID: 2212)

    • Changes the started page of IE

      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)

    • Reads default file associations for system extensions

      • fastpdf_ext_process.exe (PID: 3564)
      • kxetray.exe (PID: 3636)

    • Creates files in the driver directory

      • krecommend.exe (PID: 2940)
      • kxescore.exe (PID: 2212)

    • Removes files from Windows directory

      • krecommend.exe (PID: 2940)

    • Creates or modifies windows services

      • kxescore.exe (PID: 2212)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • krecommend.exe (PID: 2940)
      • kxescore.exe (PID: 2212)

  • INFO

    • Checks Windows Trust Settings

      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)
      • ldsgamemaster.exe (PID: 1560)
      • iexplore.exe (PID: 2008)
      • Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe (PID: 2080)
      • IEXPLORE.EXE (PID: 2296)
      • svchost.exe (PID: 3356)
      • jMtAaEiLtQmGjYdV.exe (PID: 3316)
      • ComputerZ14.exe (PID: 2840)
      • kxescore.exe (PID: 2212)

    • Reads settings of System Certificates

      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)
      • ldsgamemaster.exe (PID: 1560)
      • iexplore.exe (PID: 2008)
      • Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe (PID: 2080)
      • 360DesktopLite64.exe (PID: 3764)
      • IEXPLORE.EXE (PID: 2296)
      • svchost.exe (PID: 3356)
      • jMtAaEiLtQmGjYdV.exe (PID: 3316)
      • ComputerZ14.exe (PID: 2840)
      • kxescore.exe (PID: 2212)

    • Checks supported languages

      • iexplore.exe (PID: 2008)
      • IEXPLORE.EXE (PID: 2296)
      • taskkill.exe (PID: 1496)
      • taskkill.exe (PID: 2912)
      • taskkill.exe (PID: 2924)
      • taskkill.exe (PID: 1496)
      • svchost.exe (PID: 3356)

    • Manual execution by user

      • iexplore.exe (PID: 2008)

    • Reads the computer name

      • iexplore.exe (PID: 2008)
      • IEXPLORE.EXE (PID: 2296)
      • taskkill.exe (PID: 1496)
      • taskkill.exe (PID: 2912)
      • taskkill.exe (PID: 1496)
      • taskkill.exe (PID: 2924)
      • svchost.exe (PID: 3356)

    • Changes internet zones settings

      • iexplore.exe (PID: 2008)

    • Reads CPU info

      • IEXPLORE.EXE (PID: 2296)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 2296)

    • Creates files in the user directory

      • IEXPLORE.EXE (PID: 2296)
      • iexplore.exe (PID: 2008)

    • Application was dropped or rewritten from another process

      • 360DesktopLite_3112698.tmp (PID: 2612)

    • Creates files in the program directory

      • 360DesktopLite_3112698.tmp (PID: 2612)

    • Loads dropped or rewritten executable

      • 360DesktopLite_3112698.tmp (PID: 2612)

    • Dropped object may contain TOR URL's

      • Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe (PID: 2080)

    • Creates a software uninstall entry

      • 360DesktopLite_3112698.tmp (PID: 2612)

    • Dropped object may contain Bitcoin addresses

      • ldsgamemaster.exe (PID: 1560)
      • JGSEM_PDF_ver21042318.520.1.1.1.exe (PID: 524)
      • 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe (PID: 2108)
      • krecommend.exe (PID: 2940)
      • kislive.exe (PID: 3736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

ProductVersion: 3.2.0.8
ProductName: 软件下载器
OriginalFileName: FastDownloader.exe
LegalCopyright: Copyright (C) 2018
InternalName: FastDownloader.exe
FileVersion: 3.2.0.8
FileDescription:
CompanyName: -
CharacterSet: Unicode
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 3.2.0.8
FileVersionNumber: 3.2.0.8
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x2a3570
UninitializedDataSize: 1720320
InitializedDataSize: 28672
CodeSize: 1044480
LinkerVersion: 14.16
PEType: PE32
TimeStamp: 2021:07:23 04:32:11+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 23-Jul-2021 02:32:11
Detected languages:
  • Chinese - PRC
  • English - United States
CompanyName: -
FileDescription: -
FileVersion: 3.2.0.8
InternalName: FastDownloader.exe
LegalCopyright: Copyright (C) 2018
OriginalFilename: FastDownloader.exe
ProductName: 软件下载器
ProductVersion: 3.2.0.8

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000138

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 23-Jul-2021 02:32:11
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x001A4000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rdata
0x001A5000
0x000FF000
0x000FE800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.92895
.rsrc
0x002A4000
0x00007000
0x00006A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.03052
.data
0x002AB000
0x000000FD
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.86232
.reloc
0x002AC000
0x000000CF
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.03839

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.06216
651
UNKNOWN
English - United States
RT_MANIFEST
2
3.24731
296
UNKNOWN
Chinese - PRC
RT_ICON
3
3.27183
3752
UNKNOWN
Chinese - PRC
RT_ICON
4
3.91452
2216
UNKNOWN
Chinese - PRC
RT_ICON
5
3.47417
1384
UNKNOWN
Chinese - PRC
RT_ICON
6
3.02843
9640
UNKNOWN
Chinese - PRC
RT_ICON
7
2.82055
4264
UNKNOWN
Chinese - PRC
RT_ICON
8
2.44525
1128
UNKNOWN
Chinese - PRC
RT_ICON
104
2.81158
118
UNKNOWN
Chinese - PRC
RT_GROUP_ICON
112
7.7117
111794
UNKNOWN
Chinese - PRC
ZIPRES

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
IMM32.dll
KERNEL32.DLL
MSIMG32.dll
NETAPI32.dll
OLEACC.dll
OLEAUT32.dll
SHELL32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
105
Monitored processes
51
Malicious processes
35
Suspicious processes
6

Behavior graph

Click at the process to see the details
drop and start drop and start download and start drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe ddpicsetup@2001.exe softphotoplus.exe ldsgamemasterinstroad_211501.exe ldsgamemaster.exe k52zip20210514_300_10.exe kzipservice.exe no specs iexplore.exe iexplore.exe kzip_casual64.exe no specs kzip_main.exe krecommend.exe flashutil64_27_0_0_187_activex.exe no specs 360desktoplite_3112698.exe 360desktoplite_3112698.tmp taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs 360desktopservice.exe no specs 360desktopservice64.exe no specs 360desktoplite.exe no specs 360desktopservice64.exe no specs 360deskana.exe no specs 360desktoplite64.exe kzip_main.exe jmtaaeiltqmgjydv.exe jgsem_pdf_ver21042318.520.1.1.1.exe svchost.exe ldshelper.exe fpprotect.exe no specs fastpdf_ext_process.exe no specs fastpdf_ext_process64.exe fastpdf_ext_process.exe no specs fastpdf.exe fastpdf.exe computerz14.exe fastpdf.exe kavlog2.exe ksoftmgr.exe kxetray.exe kxescore.exe no specs kislive.exe kxescore.exe knewvip.exe no specs kismain.exe no specs kxetray.exe no specs kxecenter.exe no specs kwsprotect64.exe no specs 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
420"c:\program files (x86)\kingsoft\kingsoft antivirus\kxecenter.exe" c:\program files (x86)\kingsoft\kingsoft antivirus\kxecenter.exekxetray.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Security - kxecenter
Exit code:
0
Version:
2021,01,15,13
Modules
Images
c:\program files (x86)\kingsoft\kingsoft antivirus\kxecenter.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
524JGSEM_PDF_ver21042318.520.1.1.1.exeC:\Users\admin\AppData\Local\Temp\RnLR0lbBm4mAF9KD\JGSEM_PDF_ver21042318.520.1.1.1.exe
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Security - pdfreader install module
Exit code:
0
Version:
2021,04,07,6
Modules
Images
c:\users\admin\appdata\local\temp\rnlr0lbbm4maf9kd\jgsem_pdf_ver21042318.520.1.1.1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
704"C:\Program Files (x86)\LuDaShi\Utils\LdsHelper.exe" C:\Program Files (x86)\LuDaShi\Utils\LdsHelper.exe
ldsgamemaster.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
6.0.0.1001
Modules
Images
c:\windows\system32\wow64win.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
912"C:\Program Files (x86)\k52zip\kzipservice.exe"C:\Program Files (x86)\k52zip\kzipservice.exeservices.exe
User:
SYSTEM
Company:
Kingsoft Corporation
Integrity Level:
SYSTEM
Description:
kzipservice
Exit code:
0
Version:
2021,05,08,281
Modules
Images
c:\program files (x86)\k52zip\kzipservice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1492"C:\Users\admin\Desktop\3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe" C:\Users\admin\Desktop\3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeExplorer.EXE
User:
admin
Company:
-
Integrity Level:
MEDIUM
Description:
Exit code:
3221226540
Version:
3.2.0.8
Modules
Images
c:\users\admin\desktop\3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1496"taskkill" /im 360desktoplite.exe /fC:\Windows\SysWOW64\taskkill.exe360DesktopLite_3112698.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\wow64.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1496"taskkill" /im 360searchlite.exe /fC:\Windows\SysWOW64\taskkill.exe360DesktopLite_3112698.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\taskkill.exe
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\ntdll.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1496"C:\Users\admin\AppData\Roaming\Desktoplite\360DesktopLite.exe" /inst=3112698C:\Users\admin\AppData\Roaming\Desktoplite\360DesktopLite.exe360DesktopLite_3112698.tmp
User:
admin
Company:
360.cn
Integrity Level:
HIGH
Description:
????
Exit code:
0
Version:
11.0.0.1681
Modules
Images
c:\users\admin\appdata\roaming\desktoplite\360desktoplite.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1560"C:\Users\admin\AppData\Local\Temp\ldsgamemaster.exe" /PID="211501" /S /FROM=instC:\Users\admin\AppData\Local\Temp\ldsgamemaster.exe
LDSGameMasterInstRoad_211501.exe
User:
admin
Integrity Level:
HIGH
Description:
??????
Exit code:
0
Version:
7.1.3582.2210
Modules
Images
c:\users\admin\appdata\local\temp\ldsgamemaster.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
1872"c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe" -preloadc:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe
krecommend.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Security - ????
Exit code:
0
Version:
2021,03,22,584
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files (x86)\kingsoft\kingsoft antivirus\ksoftmgr.exe
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernelbase.dll
Total events
122 123
Read events
120 745
Write events
1 275
Delete events
103

Modification events

(PID) Process:(2108) 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\RFC1156Agent\CurrentVersion\Parameters
Operation:writeName:TrapPollTimeMilliSecs
Value:
15000
(PID) Process:(2108) 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeKey:HKEY_CURRENT_USER\Software\UIDowner
Operation:writeName:usestime
Value:
1
(PID) Process:(2108) 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeKey:HKEY_CURRENT_USER\Software\UIDowner\repeat
Operation:writeName:24900394
Value:
17720866
(PID) Process:(2108) 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2108) 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2108) 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2108) 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2108) 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000082000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2108) 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2108) 3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
Executable files
910
Suspicious files
783
Text files
957
Unknown types
103

Dropped files

PID
Process
Filename
Type
21083e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeC:\Download\1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
MD5:
SHA256:
21083e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeC:\Users\admin\AppData\Roaming\Tencent\beacon\GlobalMgr.dbtext
MD5:
SHA256:
21083e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeC:\Users\admin\UIDowner\R2TWuLE3aq.icoimage
MD5:
SHA256:
21083e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\000F7F8FAB2D96E6F8CBD5C9A3B4EC90binary
MD5:
SHA256:
21083e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeC:\Users\admin\Desktop\????.lnklnk
MD5:
SHA256:
21083e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:
SHA256:
21083e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDW1XBVN\DDPicSetup@2001[1].exeexecutable
MD5:
SHA256:
2856DDPicSetup@2001.exeC:\Users\admin\AppData\Roaming\DDPhoto\SoftPhotoPlus.exeexecutable
MD5:
SHA256:
21083e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exeC:\Users\admin\AppData\Local\Temp\Tar7374.tmpcat
MD5:
SHA256:
2856DDPicSetup@2001.exeC:\Users\admin\AppData\Roaming\DDPhoto\libFormat.dllexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
518
TCP/UDP connections
459
DNS requests
237
Threats
288

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
GET
200
60.205.177.239:80
http://downloader.aldtop.com/client/next?step=1&theme=16&softid=5&webid=28&channelid=28&user=bb1d45f7bff725a02d8fbec3e07ebc52&session=4f0a694b709d0e712ea6f6e19ab023f6&ver=5.6.4.38&winver=6.1&sdsoft=0&city=0&userev=0&rnd=29560
CN
text
3 b
malicious
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
GET
200
58.218.215.149:80
http://img.aldtop.com/storage/upload/muqsdSFSSvRStz2dxMad1yI9ClU5ndEQYCEUn9w6.png
CN
image
2.05 Kb
suspicious
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
GET
200
58.218.215.149:80
http://img.aldtop.com/storage/upload/XQJOqd3jn8c4G23QrOoO0BFYbAxu6bR2TWuLE3aq.ico
CN
image
9.44 Kb
suspicious
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
GET
200
218.12.76.150:80
http://resource.aldtop.com/upload/xml/360.xml?webid=28&channelid=28&softid=5&token=80fe4baea4ccdff45fdb20c36261355e&sys=x64
CN
xml
849 b
suspicious
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
GET
200
58.218.215.149:80
http://img.aldtop.com/storage/upload/yo5jWQwgDDlXlD9TM6X9J3g4p8r32gFupyWGVM7W.png
CN
image
5.15 Kb
suspicious
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
GET
200
58.218.215.149:80
http://img.aldtop.com/storage/upload/BF9p3RyxzG0ifCJHOtKsYn8wwnGsipAlgPgIfvjt.jpeg
CN
image
1.11 Kb
suspicious
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
POST
200
47.114.82.123:80
http://client.aldtop.com/api/v1/config
CN
text
155 b
suspicious
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
GET
200
60.205.177.239:80
http://downloader.aldtop.com/client/next?step=2&theme=16&softid=5&webid=28&channelid=28&user=bb1d45f7bff725a02d8fbec3e07ebc52&session=4f0a694b709d0e712ea6f6e19ab023f6&ver=5.6.4.38&winver=6.1&sdsoft=0&city=0&userev=0&rnd=29694
CN
text
3 b
malicious
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
GET
200
218.12.76.150:80
http://resource.aldtop.com/2020/16278971678571.png
CN
binary
852 Kb
suspicious
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
GET
200
104.192.108.21:80
http://dl.360safe.com/pclianmeng/n/1__3112633__3f7372633d6c6d266c733d6e34623664373335303965__68616f2e3336302e636e__0c6f.exe
US
executable
84.2 Mb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
129.226.107.102:443
channel.gameloop.fun
Unisys AsiaPac Intranet Access to Internet
US
suspicious
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
218.12.76.150:80
resource.aldtop.com
CHINA UNICOM China169 Backbone
CN
malicious
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
163.171.132.18:80
qd.dy008.com
US
malicious
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
104.192.108.17:80
dl.360safe.com
Beijing Qihu Technology Company Limited
US
malicious
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
104.192.108.17:443
dl.360safe.com
Beijing Qihu Technology Company Limited
US
malicious
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
104.192.108.20:80
dl.360safe.com
Beijing Qihu Technology Company Limited
US
malicious
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
47.114.82.123:80
client.aldtop.com
CN
unknown
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
125.77.167.183:80
download.52pcfree.com
No.31,Jin-rong Street
CN
suspicious
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
184.86.103.22:80
repository.certum.pl
Akamai Technologies, Inc.
US
suspicious
2080
Inst3__3112601__3f7372633d6c6d266c733d6e30316264363462333966__68616f2e3336302e636e__0c97.exe
171.8.167.89:80
s.360.cn
No.31,Jin-rong Street
CN
suspicious

DNS requests

Domain
IP
Reputation
client.aldtop.com
  • 47.114.82.123
suspicious
downloader.aldtop.com
  • 60.205.177.239
unknown
channel.gameloop.fun
  • 129.226.107.102
  • 129.226.106.5
suspicious
resource.aldtop.com
  • 218.12.76.150
  • 120.52.95.243
  • 120.52.95.242
  • 218.12.76.151
suspicious
img.aldtop.com
  • 58.218.215.149
suspicious
dl.360safe.com
  • 104.192.108.21
  • 104.192.108.19
  • 104.192.108.17
  • 104.192.108.20
whitelisted
api.aldtop.com
  • 182.92.156.114
whitelisted
statapi.aldtop.com
  • 182.92.156.114
unknown
dl.ludashi.com
  • 104.192.108.17
  • 104.192.108.19
  • 104.192.108.20
  • 104.192.108.21
whitelisted
qd.dy008.com
  • 163.171.132.18
malicious

Threats

PID
Process
Class
Message
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
A Network Trojan was detected
AV TROJAN Downer.C Variant Checkin
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
Potentially Bad Traffic
ET MALWARE Downer.B Variant Checkin
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
A Network Trojan was detected
ET MALWARE User-Agent (User-Agent Mozilla/4.0 (compatible ))
2108
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7.exe
A Network Trojan was detected
ET MALWARE User-Agent (User-Agent Mozilla/4.0 (compatible ))
125 ETPRO signatures available at the full report
Process
Message
fastpdf_ext_process64.exe
C:\Program Files (x86)\fastpdf\kpdfmenu64.dll
fastpdf_ext_process64.exe
g_KpdfmenushellFactory ok
fastpdf.exe
CmdLineProcessor "-refreshdesktop=1"
fastpdf.exe
before file : "-refreshdesktop=1"
fastpdf.exe
after : "-refreshdesktop=1"
fastpdf.exe
default file : ""
fastpdf.exe
Process
fastpdf.exe
HasAbandonedCommondLine
fastpdf.exe
CmdLineProcessor "-associate=1"
fastpdf.exe
before file : "-associate=1"
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
3e50ac6b901f3e7bbe4a241053fb01ff030657c6f6d407e8333fe377864a31e7