File name:	YoudaoDict.exe
Full analysis:	https://app.any.run/tasks/1160ac8e-b0b3-49ca-86e6-fe3fd458c5fe
Verdict:	Malicious activity
Analysis date:	January 19, 2024, 08:26:06
OS:	Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	E57F9C958CC4BCC334A77B41C1438096
SHA1:	33A268111B89F3223EFA3C5402CCB410E68338D0
SHA256:	8BBAEF49B971CB9EF141E75F66C3A0EDA1F0B5D9383E4D11C6EF8F0BBE3F1F2B
SSDEEP:	98304:kiVla0FYLGOqwH3CeVMJ1dzt7OabUycikjmh6BTgxr7d7xJUpxe6j2+sG9EATjAs:Pj9a

.exe	\|	Win32 Executable (generic) (3.6)
.exe	\|	Generic Win/DOS Executable (1.6)
.exe	\|	DOS Executable Generic (1.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:05:11 05:00:01+02:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.29
CodeSize:	7598592
InitializedDataSize:	4121600
UninitializedDataSize:	-
EntryPoint:	0x4bc260
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	10.0.4.0
ProductVersionNumber:	10.0.4.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Chinese (Simplified)
CharacterSet:	Windows, Chinese (Simplified)
CompanyName:	网易公司
FileDescription:	网易有道翻译
FileVersion:	10.0.4.0
InternalName:	YoudaoDict.exe
LegalCopyright:	(C) 网易公司。保留所有权利。
OriginalFileName:	YoudaoDict.exe
ProductName:	网易有道翻译
ProductVersion:	10.0.4.0


(PID) Process:	(5164) SearchApp.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings
Operation:	write	Name:	SafeSearchMode
Value: 1
(PID) Process:	(5164) SearchApp.exe	Key:	\REGISTRY\A\{354c1aac-1173-10f3-47ce-69a986cb584a}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_USEREMAIL
Value: 0000B755392DB14ADA01
(PID) Process:	(5164) SearchApp.exe	Key:	\REGISTRY\A\{354c1aac-1173-10f3-47ce-69a986cb584a}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_ACCOUNTTYPETEXT
Value: 0000B755392DB14ADA01
(PID) Process:	(5164) SearchApp.exe	Key:	\REGISTRY\A\{354c1aac-1173-10f3-47ce-69a986cb584a}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_ACCOUNTTYPE
Value: 4E006F006E006500000021B93B2DB14ADA01
(PID) Process:	(5164) SearchApp.exe	Key:	\REGISTRY\A\{354c1aac-1173-10f3-47ce-69a986cb584a}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_ACCOUNTTYPE
Value: 00006FDF945EB14ADA01
(PID) Process:	(5164) SearchApp.exe	Key:	\REGISTRY\A\{354c1aac-1173-10f3-47ce-69a986cb584a}\LocalState
Operation:	write	Name:	BINGIDENTITY_PROP_AUTHORITY
Value: 6400650076006900630065000000D5B27A6629C7D901
(PID) Process:	(5164) SearchApp.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5164) SearchApp.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(5164) SearchApp.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com
Operation:	write	Name:	Total
Value: 117133
(PID) Process:	(5164) SearchApp.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com
Operation:	write	Name:	Total
Value: 129

PID	Process	Filename		Type
2224	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_YoudaoDict.exe_24c13b5317acdd3b4df3f7aa5848a8e8d85be8_dcfc6ee4_664d4925-1462-4f0a-9c0d-dde3a0b3a7e1\Report.wer		—
		MD5:—	SHA256:—
2224	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER45AC.tmp.WERInternalMetadata.xml		xml
		MD5:6B10D7330EE5B09069CA4B4A120040B3	SHA256:9ADCAE61D67380E33B4FA9ABE299FD230ED352E34EB3B6707CC958D78AB3CCE3
2224	WerFault.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785		binary
		MD5:FE7C7BD6FB8E09B893382BCF7515E984	SHA256:375069944A918EB3FA6BF9B2732C7CFA90B66CCC7567DA3745A8BF9ACB6542CA
2224	WerFault.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FE		binary
		MD5:5B86987CFE951E5013143C36998B3D66	SHA256:64A8D55A9249AEA4C1D78C6FC7AA634D4A9323998EFF23C4D7E7D9CA30D14662
2224	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER45DB.tmp.xml		xml
		MD5:DC18BF804C731B4B0C686BD5642957A2	SHA256:E85E13B071DC1ACF2B033E5AF8FEB9181457FEEF163A0227770F0DDBC0068E36
5164	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\45\6hU_LneafI_NFLeDvM367ebFaKQ[1].js		text
		MD5:C6C21B7634D82C53FB86080014D86E66	SHA256:D39E9BA92B07F4D50B11A49965E9B162452D7B9C9F26D9DCB07825727E31057E
756	FileCoAuth.exe	C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-01-19.0827.756.1.aodl		binary
		MD5:923BF0E545D9C37CA8874C8D6C4A30E6	SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65
2224	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\YoudaoDict.exe.4448.dmp		binary
		MD5:ECCB64981DBC599B4AEADF8061BEB26F	SHA256:0E73F59D1E8B50001C9541667BF1AC9F3A9EC546321BF489716350808D2311FF
2224	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER450E.tmp.dmp		binary
		MD5:D862A8A4E29291724B731E6D79EAF3A7	SHA256:AB08E88EA292C089069E940E9B8D8FA9093C9C25F185A588EE652058CC01EA60
5164	SearchApp.exe	C:\Users\admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\45\4BpQ1bD8vX1mXuJObN-gg9RqkyQ.br[1].js		text
		MD5:8465A334065673EB6A6487C8D87539DB	SHA256:84ED6C495B322B0F2213CC33EC6C652D84D82E010C928B1141DB2290D4365F3D

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5744	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	binary	471 b	unknown
1092	svchost.exe	POST	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
3732	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	binary	409 b	unknown
1092	svchost.exe	POST	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
1092	svchost.exe	POST	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
1092	svchost.exe	POST	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
1092	svchost.exe	POST	—	138.91.171.81:80	http://dmd.metaservices.microsoft.com/metadata.svc	unknown	—	—	unknown
3732	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	binary	418 b	unknown
1092	svchost.exe	POST	302	23.218.210.69:80	http://go.microsoft.com/fwlink/?LinkID=252669&clcid=0x409	unknown	—	—	unknown
2224	WerFault.exe	GET	200	23.32.238.112:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	binary	1.11 Kb	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
5612	MoUsoCoreWorker.exe	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5744	svchost.exe	40.126.32.74:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5744	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	unknown
—	—	40.127.240.158:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3720	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1092	svchost.exe	23.218.210.69:80	go.microsoft.com	AKAMAI-AS	DE	unknown
1092	svchost.exe	52.142.223.178:80	dmd.metaservices.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
5612	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3732	SIHClient.exe	40.68.123.157:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	unknown
3732	SIHClient.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	unknown

Domain	IP	Reputation
login.live.com	40.126.32.74 40.126.32.133 20.190.160.17 40.126.32.68 20.190.160.20 40.126.32.136 40.126.32.140 20.190.160.14	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	23.218.210.69	whitelisted
dmd.metaservices.microsoft.com	52.142.223.178 138.91.171.81	whitelisted
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
slscr.update.microsoft.com	40.68.123.157	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	13.95.31.18	whitelisted
umwatson.events.data.microsoft.com	20.189.173.21	whitelisted
x1.c.lencr.org	69.192.161.44	whitelisted

General Info

YoudaoDict.exe

E57F9C958CC4BCC334A77B41C1438096

33A268111B89F3223EFA3C5402CCB410E68338D0

8BBAEF49B971CB9EF141E75F66C3A0EDA1F0B5D9383E4D11C6EF8F0BBE3F1F2B

98304:kiVla0FYLGOqwH3CeVMJ1dzt7OabUycikjmh6BTgxr7d7xJUpxe6j2+sG9EATjAs:Pj9a

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Executes application which crashes

Checks Windows Trust Settings

Reads security settings of Internet Explorer

INFO

Creates files in the program directory

Creates files or folders in the user directory

Checks supported languages

Checks proxy server information

Reads the computer name

Reads the software policy settings

Process checks Internet Explorer phishing filters

Reads the machine GUID from the registry

Process checks computer location settings

Reads Environment values

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings