Malware analysis https://n21ald.oss-cn-shanghai.aliyuncs.com/download/%E6%9C%89%E9%81%93%E4%BA%91%E7%AC%94%E8%AE%B0_128116110.exe Malicious activity

Add for printing

URL:	https://n21ald.oss-cn-shanghai.aliyuncs.com/download/%E6%9C%89%E9%81%93%E4%BA%91%E7%AC%94%E8%AE%B0_128116110.exe
Full analysis:	https://app.any.run/tasks/c46ff4ad-9902-4efa-a8bc-433bf3a202c7
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	January 07, 2021, 10:51:38
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	trojan adware
Indicators:
MD5:	C131535546F44F074AE5F5F6CC0BDA01
SHA1:	199E4D3CDD5EC4935D6FD26B6241F833D49FC8F3
SHA256:	978CFC152798AE12CF0B507E111F907D3691D62770A7A65FA1114950B1352533
SSDEEP:	3:N8NUEP4jNFjFzKLA8uAgRAgRKFSQ5mnAnBsbdA:2TP2o0BFmUzn2B

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.17843 KB3058515
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)
srvpost (2.12.72)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Hyphenation Parent Package English
IE Spelling Parent Package English
IE Troubleshooters Package
InternetExplorer Optional Package
InternetExplorer Package TopLevel
KB2533623
KB2534111
KB2639308
KB2729094
KB2731771
KB2786081
KB2834140
KB2882822
KB2888049
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
PlatformUpdate Win7 SRV08R2 Package TopLevel
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - 有道云笔记_128116110.exe (PID: 2684)
  - 有道云笔记_128116110.exe (PID: 3848)
  - QQLiveDownloader.exe (PID: 3648)
  - InstallDaemon.exe (PID: 2808)
  - YoudaoNote.exe (PID: 2312)
  - YoudaoNote.exe (PID: 3520)
  - YoudaoNote.exe (PID: 2896)
  - InstallDaemon.exe (PID: 3252)
  - YoudaoNote.exe (PID: 3344)
  - RunYNote.exe (PID: 1984)
  - fastpdf_ext_process.exe (PID: 3004)
  - fastpdf_ext_process.exe (PID: 2612)
  - fpprotect.exe (PID: 2272)
  - fastpdf_ext_process.exe (PID: 2772)
  - fastpdf.exe (PID: 2628)
  - fastpdf.exe (PID: 2248)
  - QQLive.exe (PID: 3740)
  - QQLive.exe (PID: 3100)
  - QQLive.exe (PID: 1176)
  - QQLive.exe (PID: 3108)
  - QQLive.exe (PID: 880)
  - QQLive.exe (PID: 3172)
  - YoudaoDictInstaller.exe (PID: 3440)
  - InstallHelper.exe (PID: 1712)
  - InstallHelper.exe (PID: 580)
  - InstallHelper.exe (PID: 988)
  - InstallHelper.exe (PID: 2428)
  - YNoteCefRender.exe (PID: 540)
  - QQLive.exe (PID: 3512)
  - InstallHelper.exe (PID: 3492)
  - hardwarecheck.exe (PID: 3364)
  - HardwarecheckBrowser.exe (PID: 292)
  - QQLive.exe (PID: 2016)
  - hardwarecheck.exe (PID: 2608)
  - hardwarecheck.exe (PID: 3508)
  - Statistics.exe (PID: 1924)
  - YoudaoDictInstaller.exe (PID: 2104)
  - QQLive.exe (PID: 5856)
  - hardwarecheck.exe (PID: 4624)
  - QQLive.exe (PID: 5396)
  - QQLiveBrowser.exe (PID: 4384)
  - X64Helper.exe (PID: 5908)
  - InstallDaemon.exe (PID: 5012)
  - YoudaoDictIcon.exe (PID: 5308)
  - QQLiveBrowser.exe (PID: 4464)
  - fastpdf.exe (PID: 4288)
- Connects to CnC server
  - 有道云笔记_128116110.exe (PID: 3848)
  - Fastpdf_Setup_YunDong_260_4_20201204.exe (PID: 3356)
- Changes settings of System certificates
  - 有道云笔记_128116110.exe (PID: 3848)
  - hardwarecheck.exe (PID: 3364)
- Loads dropped or rewritten executable
  - YNote116110.exe (PID: 2164)
  - wmiprvse.exe (PID: 2288)
  - YoudaoNote.exe (PID: 2312)
  - YoudaoNote.exe (PID: 3520)
  - regsvr32.exe (PID: 3596)
  - RunYNote.exe (PID: 1984)
  - YoudaoNote.exe (PID: 2896)
  - YoudaoNote.exe (PID: 3344)
  - fastpdf.exe (PID: 2248)
  - fastpdf.exe (PID: 2628)
  - fastpdf_ext_process.exe (PID: 3004)
  - fastpdf_ext_process.exe (PID: 2772)
  - YoudaoDict_ynote.download.exe (PID: 1744)
  - fastpdf_ext_process.exe (PID: 2612)
  - fpprotect.exe (PID: 2272)
  - hardwarecheck.exe (PID: 3364)
  - hardwarecheck.exe (PID: 3508)
  - hardwarecheck.exe (PID: 2608)
  - QQLiveDownloader.exe (PID: 3648)
  - svchost.exe (PID: 860)
  - HardwarecheckBrowser.exe (PID: 292)
  - QQLive.exe (PID: 3108)
  - QQLive.exe (PID: 880)
  - QQLive.exe (PID: 3100)
  - QQLive.exe (PID: 1176)
  - QQLive.exe (PID: 3512)
  - QQLive.exe (PID: 3172)
  - QQLive.exe (PID: 3740)
  - regsvr32.exe (PID: 3024)
  - QQLive.exe (PID: 2016)
  - QQLiveBrowser.exe (PID: 4384)
  - X64Helper.exe (PID: 5908)
  - QQLive.exe (PID: 5856)
  - QQLive.exe (PID: 5396)
  - hardwarecheck.exe (PID: 4624)
  - QQLiveBrowser.exe (PID: 4464)
  - fastpdf.exe (PID: 4288)
- Registers / Runs the DLL via REGSVR32.EXE
  - YNote116110.exe (PID: 2164)
  - YoudaoNote.exe (PID: 2312)
  - YoudaoDictInstaller.exe (PID: 3440)
- Changes the autorun value in the registry
  - YoudaoNote.exe (PID: 2312)
  - QQLiveDownloader.exe (PID: 3648)
  - YoudaoDictInstaller.exe (PID: 3440)
  - YoudaoDict_ynote.download.exe (PID: 1744)
SUSPICIOUS
- Executable content was dropped or overwritten
  - chrome.exe (PID: 3260)
  - YNote116110.exe (PID: 2164)
  - 有道云笔记_128116110.exe (PID: 3848)
  - YoudaoNote.exe (PID: 2312)
  - Fastpdf_Setup_YunDong_260_4_20201204.exe (PID: 3356)
  - YoudaoDict_ynote.download.exe (PID: 1744)
  - InstallHelper.exe (PID: 3492)
  - QQLiveDownloader.exe (PID: 3648)
  - InstallHelper.exe (PID: 580)
  - InstallHelper.exe (PID: 1712)
  - YoudaoDictInstaller.exe (PID: 3440)
- Drops a file with a compile date too recent
  - chrome.exe (PID: 3260)
  - Fastpdf_Setup_YunDong_260_4_20201204.exe (PID: 3356)
  - YoudaoDict_ynote.download.exe (PID: 1744)
  - QQLiveDownloader.exe (PID: 3648)
  - InstallHelper.exe (PID: 3492)
  - InstallHelper.exe (PID: 1712)
  - InstallHelper.exe (PID: 580)
- Adds / modifies Windows certificates
  - 有道云笔记_128116110.exe (PID: 3848)
  - hardwarecheck.exe (PID: 3364)
- Creates files in the Windows directory
  - svchost.exe (PID: 860)
  - Statistics.exe (PID: 1924)
- Drops a file that was compiled in debug mode
  - YNote116110.exe (PID: 2164)
  - 有道云笔记_128116110.exe (PID: 3848)
  - YoudaoNote.exe (PID: 2312)
  - Fastpdf_Setup_YunDong_260_4_20201204.exe (PID: 3356)
  - YoudaoDict_ynote.download.exe (PID: 1744)
  - InstallHelper.exe (PID: 3492)
  - QQLiveDownloader.exe (PID: 3648)
  - InstallHelper.exe (PID: 580)
  - InstallHelper.exe (PID: 1712)
- Low-level read access rights to disk partition
  - QQLiveDownloader.exe (PID: 3648)
  - hardwarecheck.exe (PID: 3364)
- Creates files in the user directory
  - QQLiveDownloader.exe (PID: 3648)
  - YNote116110.exe (PID: 2164)
  - YoudaoNote.exe (PID: 2312)
  - hardwarecheck.exe (PID: 2608)
  - hardwarecheck.exe (PID: 3508)
  - hardwarecheck.exe (PID: 3364)
  - HardwarecheckBrowser.exe (PID: 292)
  - QQLive.exe (PID: 3100)
  - QQLive.exe (PID: 1176)
  - QQLive.exe (PID: 880)
  - QQLive.exe (PID: 2016)
  - YoudaoDictInstaller.exe (PID: 3440)
  - QQLiveBrowser.exe (PID: 4384)
  - YoudaoDict_ynote.download.exe (PID: 1744)
  - QQLiveBrowser.exe (PID: 4464)
  - hardwarecheck.exe (PID: 4624)
- Drops a file with too old compile date
  - YNote116110.exe (PID: 2164)
  - Fastpdf_Setup_YunDong_260_4_20201204.exe (PID: 3356)
  - QQLiveDownloader.exe (PID: 3648)
  - InstallHelper.exe (PID: 3492)
- Creates a directory in Program Files
  - YNote116110.exe (PID: 2164)
  - YoudaoNote.exe (PID: 2312)
  - InstallDaemon.exe (PID: 3252)
  - Fastpdf_Setup_YunDong_260_4_20201204.exe (PID: 3356)
  - fpprotect.exe (PID: 2272)
  - QQLiveDownloader.exe (PID: 3648)
- Creates a software uninstall entry
  - YNote116110.exe (PID: 2164)
  - YoudaoNote.exe (PID: 2312)
  - Fastpdf_Setup_YunDong_260_4_20201204.exe (PID: 3356)
  - QQLiveDownloader.exe (PID: 3648)
  - YoudaoDict_ynote.download.exe (PID: 1744)
- Creates files in the program directory
  - InstallDaemon.exe (PID: 2808)
  - QQLiveDownloader.exe (PID: 3648)
  - YoudaoNote.exe (PID: 2312)
  - YNote116110.exe (PID: 2164)
  - InstallDaemon.exe (PID: 3252)
  - Fastpdf_Setup_YunDong_260_4_20201204.exe (PID: 3356)
  - YoudaoDictInstaller.exe (PID: 3440)
  - Statistics.exe (PID: 1924)
- Changes default file association
  - YoudaoNote.exe (PID: 2312)
  - fastpdf_ext_process.exe (PID: 2772)
  - fastpdf.exe (PID: 2628)
  - QQLive.exe (PID: 1176)
- Creates/Modifies COM task schedule object
  - regsvr32.exe (PID: 3596)
  - fastpdf_ext_process.exe (PID: 2772)
  - fastpdf_ext_process.exe (PID: 2612)
  - QQLiveDownloader.exe (PID: 3648)
  - regsvr32.exe (PID: 3024)
- Starts Internet Explorer
  - YoudaoNote.exe (PID: 2896)
- Executed as Windows Service
  - fpprotect.exe (PID: 2272)
- Reads default file associations for system extensions
  - fastpdf_ext_process.exe (PID: 2612)
- Application launched itself
  - QQLive.exe (PID: 3108)
  - cmd.exe (PID: 2552)
  - QQLive.exe (PID: 2016)
- Starts CMD.EXE for commands execution
  - cmd.exe (PID: 2552)
  - YoudaoDictInstaller.exe (PID: 3440)
- Uses ICACLS.EXE to modify access control list
  - QQLive.exe (PID: 3100)
INFO
- Application launched itself
  - chrome.exe (PID: 3260)
  - iexplore.exe (PID: 3072)
- Reads the hosts file
  - chrome.exe (PID: 3260)
  - chrome.exe (PID: 3232)
  - YoudaoNote.exe (PID: 3344)
- Dropped object may contain Bitcoin addresses
  - YNote116110.exe (PID: 2164)
  - Fastpdf_Setup_YunDong_260_4_20201204.exe (PID: 3356)
  - QQLiveDownloader.exe (PID: 3648)
  - QQLive.exe (PID: 2016)
- Changes internet zones settings
  - iexplore.exe (PID: 3072)
- Reads internet explorer settings
  - iexplore.exe (PID: 3424)
  - iexplore.exe (PID: 668)
- Reads settings of System Certificates
  - iexplore.exe (PID: 3072)
  - QQLive.exe (PID: 2016)
- Creates files in the user directory
  - iexplore.exe (PID: 3424)
  - iexplore.exe (PID: 3072)
- Changes settings of System certificates
  - iexplore.exe (PID: 3072)
- Adds / modifies Windows certificates
  - iexplore.exe (PID: 3072)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

118

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

292

"C:\Program Files\Tencent\QQLive\HardwarecheckBrowser.exe" /load=CefSubProcess.dll --high-dpi-support=1 --type=renderer --disable-accelerated-video-decode --disable-gpu-compositing --no-sandbox --disable-direct-write --client-id=gfwebctrl --enable-deferred-image-decoding --lang=en-US --lang=en-US --log-severity=disable --product-version=" QQLive/11115051/50202231" --ppapi-flash-path="C:\Windows\system32\Macromed\Flash\pepflashplayer32_26_0_0_131.dll" --device-scale-factor=1.00 --client-id=gfwebctrl --frame-rate=40 --device-scale-factor=1 --font-cache-shared-mem-suffix=3508 --enable-pinch-virtual-viewport --enable-delegated-renderer --num-raster-threads=2 --use-image-texture-target=3553 --disable-gpu-compositing --channel="3508.0.546271802\782146327" /prefetch:673131151

C:\Program Files\Tencent\QQLive\HardwarecheckBrowser.exe

—

hardwarecheck.exe

User:

admin

Company:

Tencent

Integrity Level:

HIGH

Description:

腾讯视频浏览器辅助进程

Exit code:

Version:

1.0.0.1

Modules

Images
c:\program files\tencent\qqlive\hardwarecheckbrowser.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\tencent\qqlive\common.dll
c:\program files\tencent\qqlive\zlib.dll
c:\program files\tencent\qqlive\msvcr100.dll
c:\program files\tencent\qqlive\libexpat.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll

540

YNoteCefRender.exe --type=renderer --no-sandbox --primordial-pipe-token=71BC5C8D41339BC76434FC5F98453A82 --lang=en-US --lang=zh-CN --log-file="C:\Users\admin\AppData\Local\Youdao\YNote\log\cef.log" --log-severity=warning --user-agent="Mozilla/5.0 (Windows 7; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36 YNoteCef/6.8.0.0 (Windows)" --disable-extensions --client_version=6.8.0.0 --enable-pinch --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553 --disable-accelerated-video-decode --disable-webrtc-hw-vp8-encoding --disable-gpu-compositing --service-request-channel-token=71BC5C8D41339BC76434FC5F98453A82 --renderer-client-id=2 --mojo-platform-channel-handle=1948 /prefetch:1

C:\Program Files\Youdao\YoudaoNote\YNoteCefRender.exe

—

YoudaoNote.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\program files\youdao\youdaonote\ynotecefrender.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\youdao\youdaonote\msvcr90.dll
c:\program files\youdao\youdaonote\msvcp90.dll
c:\program files\youdao\youdaonote\mfc90u.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll

580

"C:\Users\admin\AppData\Local\Temp\nst7FCD.tmp\InstallHelper.exe" "move" "C:\Users\admin\AppData\Local\Youdao\Dict\Application\install_8.9.6.0\YoudaoDict.exe" "C:\Users\admin\AppData\Local\Youdao\Dict\Application\YoudaoDict.exe"

C:\Users\admin\AppData\Local\Temp\nst7FCD.tmp\InstallHelper.exe

YoudaoDict_ynote.download.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\windows\system32\imm32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcr120_clr0400.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernel32.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe
c:\users\admin\appdata\local\temp\nst7fcd.tmp\installhelper.exe

604

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6eaaa9d0,0x6eaaa9e0,0x6eaaa9ec

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

75.0.3770.100

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll

664

C:\Windows\system32\cmd.exe /S /D /c" echo y"

C:\Windows\system32\cmd.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

668

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3072 CREDAT:799754 /prefetch:2

C:\Program Files\Internet Explorer\iexplore.exe

iexplore.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Internet Explorer

Exit code:

Version:

11.00.9600.16428 (winblue_gdr.131013-1700)

Modules

Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll

860

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\System32\svchost.exe

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll

880

"C:\Program Files\Tencent\QQLive\QQLive.exe" -run_plugin

C:\Program Files\Tencent\QQLive\QQLive.exe

QQLiveDownloader.exe

User:

admin

Company:

Tencent

Integrity Level:

HIGH

Description:

腾讯视频

Exit code:

4278124286

Version:

11.11.5051.0

Modules

Images
c:\program files\tencent\qqlive\qqlive.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\tencent\qqlive\qqlivebase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll

988

"C:\Users\admin\AppData\Local\Temp\nst7FCD.tmp\InstallHelper.exe" "move" "C:\Users\admin\AppData\Local\Youdao\Dict\Application\install_8.9.6.0\8.9.6.0" "C:\Users\admin\AppData\Local\Youdao\Dict\Application\8.9.6.0"

C:\Users\admin\AppData\Local\Temp\nst7FCD.tmp\InstallHelper.exe

—

YoudaoDict_ynote.download.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\nst7fcd.tmp\installhelper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

1176

"C:\Program Files\Tencent\QQLive\QQLive.exe" -register

C:\Program Files\Tencent\QQLive\QQLive.exe

QQLiveDownloader.exe

User:

admin

Company:

Tencent

Integrity Level:

HIGH

Description:

腾讯视频

Exit code:

4278124286

Version:

11.11.5051.0

Modules

Images
c:\program files\tencent\qqlive\qqlive.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\tencent\qqlive\qqlivebase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll

Add for printing

Total events

7 223

Read events

5 389

Write events

1 802

Delete events

Modification events


(PID) Process:	(3260) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(3260) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(3260) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:	write	Name:	StatusCodes
Value:
(PID) Process:	(3260) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:	write	Name:	StatusCodes
Value: 01000000
(PID) Process:	(3540) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:	write	Name:	3260-13254490314128875
Value: 259
(PID) Process:	(3260) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(3260) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:	write	Name:	dr
Value: 1
(PID) Process:	(3260) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome
Operation:	write	Name:	UsageStatsInSample
Value: 0
(PID) Process:	(3260) chrome.exe	Key:	HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:	delete value	Name:	3252-13245750958665039
Value: 0
(PID) Process:	(3260) chrome.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	write	Name:	usagestats
Value: 0

Add for printing

Executable files

397

Suspicious files

154

Text files

2 007

Unknown types

158

Dropped files

PID	Process	Filename		Type
3260	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5FF6E7CB-CBC.pma		—
		MD5:—	SHA256:—
3260	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\bdfc4ef8-ccbd-4251-8a35-9b139dc31726.tmp		—
		MD5:—	SHA256:—
3260	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000048.dbtmp		—
		MD5:—	SHA256:—
3260	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.old		—
		MD5:—	SHA256:—
860	svchost.exe	C:\Windows\appcompat\programs\RecentFileCache.bcf		txt
		MD5:—	SHA256:—
3260	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old		text
		MD5:—	SHA256:—
3260	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old		text
		MD5:—	SHA256:—
3260	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old~RFe80e.TMP		text
		MD5:—	SHA256:—
3260	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RFe5cc.TMP		text
		MD5:—	SHA256:—
3260	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

127

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3848	有道云笔记_128116110.exe	GET	—	60.205.177.239:80	http://downloader.aldtop.com/client/next?step=3&theme=22&softid=116110&webid=128&channelid=128&user=fb08c43da586296e5c2042d2f9db2b10&user2=1da8e2ba355cc359fef25b2e6a6bd9b7&session=706e8387ec412a6f088be16db3115a72&ver=5.0.9.50&winver=6.1&sdsoft=0&city=0&userev=0&rnd=21945	CN	—	—	malicious
3848	有道云笔记_128116110.exe	GET	—	203.205.136.219:80	http://dldir1.qq.com/qqtv/azdk/QQLiveDownloader.exe	CN	—	—	whitelisted
3848	有道云笔记_128116110.exe	GET	200	182.92.156.114:80	http://api.aldtop.com/dll/debug?ver=t&webid=128&softid=116110&mac=570dba868abc2ed5e83cf2bd9e71b380&mode=followtask&taskid=8&step=0	CN	—	—	whitelisted
3848	有道云笔记_128116110.exe	GET	—	60.205.177.239:80	http://downloader.aldtop.com/client/next?step=128&theme=22&softid=116110&webid=128&channelid=128&user=fb08c43da586296e5c2042d2f9db2b10&user2=1da8e2ba355cc359fef25b2e6a6bd9b7&session=706e8387ec412a6f088be16db3115a72&ver=5.0.9.50&winver=6.1&sdsoft=0&city=0&userev=0&rnd=21961	CN	—	—	malicious
3848	有道云笔记_128116110.exe	GET	—	182.92.156.114:80	http://statapi.aldtop.com/fx/masx.php?ver=t&webid=128&softid=116110&mac=570dba868abc2ed5e83cf2bd9e71b380&sdsoft=0&lbg=0&city=0&rnd=18467	CN	—	—	malicious
3848	有道云笔记_128116110.exe	GET	—	60.205.177.239:80	http://downloader.aldtop.com/client/stat?step=3&theme=22&softid=116110&webid=128&channelid=128&user=fb08c43da586296e5c2042d2f9db2b10&user2=1da8e2ba355cc359fef25b2e6a6bd9b7&session=706e8387ec412a6f088be16db3115a72&state=4&button=200&ver=5.0.9.50&winver=6.1&sdsoft=0&city=0&userev=0&rnd=21961	CN	—	—	malicious
3848	有道云笔记_128116110.exe	GET	200	218.12.76.150:80	http://resource.aldtop.com/theme/222012179.dat	CN	binary	89.4 Kb	suspicious
3848	有道云笔记_128116110.exe	GET	200	218.12.76.163:80	http://www.51xiazai.cn/api/ryapi?webid=128&channelid=128&softid=116110&token=5c6bae37efcc399560c9faf27527dfe9	CN	xml	699 b	malicious
3848	有道云笔记_128116110.exe	GET	200	60.205.177.239:80	http://downloader.aldtop.com/client/debug?step=0&theme=22&softid=116110&webid=128&channelid=128&user=fb08c43da586296e5c2042d2f9db2b10&user2=1da8e2ba355cc359fef25b2e6a6bd9b7&session=706e8387ec412a6f088be16db3115a72&city=0&sdsoft=0&system=6.1&ie=9.11.9600.17843&isdeveloper=0&webid=128&channelid=128&softid=116110&filename=f id:g,h.0_128116110.exe&filesize=838768&filemd5=d41d8cd98f00b204e9800998ecf8427e&rnd=21644	CN	text	3 b	malicious
3848	有道云笔记_128116110.exe	POST	200	47.114.82.123:80	http://client.aldtop.com/api/v1/config	CN	text	155 b	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3232	chrome.exe	173.194.195.113:443	clients4.google.com	Google Inc.	US	whitelisted
3232	chrome.exe	106.14.229.23:443	n21ald.oss-cn-shanghai.aliyuncs.com	Hangzhou Alibaba Advertising Co.,Ltd.	CN	unknown
3232	chrome.exe	172.217.22.13:443	accounts.google.com	Google Inc.	US	whitelisted
3232	chrome.exe	172.217.23.99:443	ssl.gstatic.com	Google Inc.	US	whitelisted
3232	chrome.exe	172.217.212.93:443	sb-ssl.google.com	Google Inc.	US	unknown
3848	有道云笔记_128116110.exe	47.114.82.123:80	client.aldtop.com	—	CN	unknown
3848	有道云笔记_128116110.exe	218.12.76.150:80	resource.aldtop.com	CHINA UNICOM China169 Backbone	CN	malicious
3848	有道云笔记_128116110.exe	60.205.177.239:80	downloader.aldtop.com	Hangzhou Alibaba Advertising Co.,Ltd.	CN	malicious
3848	有道云笔记_128116110.exe	218.12.76.163:80	www.51xiazai.cn	CHINA UNICOM China169 Backbone	CN	malicious
3848	有道云笔记_128116110.exe	182.92.156.114:80	api.aldtop.com	Hangzhou Alibaba Advertising Co.,Ltd.	CN	malicious

DNS requests

Domain	IP	Reputation
n21ald.oss-cn-shanghai.aliyuncs.com	106.14.229.23	suspicious
clients4.google.com	173.194.195.113 173.194.195.138 173.194.195.102 173.194.195.101 173.194.195.100 173.194.195.139	whitelisted
accounts.google.com	172.217.22.13	shared
sb-ssl.google.com	172.217.212.93 172.217.212.91 172.217.212.190 172.217.212.136	whitelisted
ssl.gstatic.com	172.217.23.99	whitelisted
client.aldtop.com	47.114.82.123	suspicious
downloader.aldtop.com	60.205.177.239	unknown
resource.aldtop.com	218.12.76.150 120.52.95.243 120.52.95.242 218.12.76.151	suspicious
www.51xiazai.cn	218.12.76.163 120.52.95.235 120.52.95.234 218.12.76.164	malicious
api.aldtop.com	182.92.156.114	whitelisted

Threats

PID	Process	Class	Message
3848	有道云笔记_128116110.exe	A Network Trojan was detected	AV TROJAN Downer.C Variant Checkin
3848	有道云笔记_128116110.exe	Potentially Bad Traffic	ET MALWARE Downer.B Variant Checkin
3848	有道云笔记_128116110.exe	A Network Trojan was detected	ET MALWARE User-Agent (User-Agent Mozilla/4.0 (compatible ))
3848	有道云笔记_128116110.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/RiskWare.Downer.A
3848	有道云笔记_128116110.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/RiskWare.Downer.A
3848	有道云笔记_128116110.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/RiskWare.Downer.A
3848	有道云笔记_128116110.exe	A Network Trojan was detected	ET MALWARE User-Agent (User-Agent Mozilla/4.0 (compatible ))
3848	有道云笔记_128116110.exe	A Network Trojan was detected	MALWARE [PTsecurity] Win32/RiskWare.Downer.A
3848	有道云笔记_128116110.exe	A Network Trojan was detected	ET MALWARE User-Agent (User-Agent Mozilla/4.0 (compatible ))
3848	有道云笔记_128116110.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP

1 ETPRO signatures available at the full report

Add for printing

Process	Message
YoudaoNote.exe	2021-01-07 10:54:39'278" 444 [DEBUG]
YoudaoNote.exe	Start App, args = install, GUID = PCb0de0c2e0377f8e6f, ClientVersion = 6.8.0.0
YoudaoNote.exe	2021-01-07 10:54:44'184" 444 [DEBUG]
YoudaoNote.exe	Exit App.
YoudaoNote.exe	2021-01-07 10:54:45'497" 3688 [DEBUG]
YoudaoNote.exe	Start App, args = installreport, GUID = PCb0de0c2e0377f8e6f, ClientVersion = 6.8.0.0
YoudaoNote.exe	2021-01-07 10:54:46'325" 3688 [DEBUG]
YoudaoNote.exe	Exit App.
RunYNote.exe	2021-01-07 10:54:52'669" 3984 [DEBUG]
RunYNote.exe	CRunYNoteApp::InitInstance(); File: .\RunYNote.cpp, Line: 80, Function: CRunYNoteApp::InitInstance

General Info

https://n21ald.oss-cn-shanghai.aliyuncs.com/download/%E6%9C%89%E9%81%93%E4%BA%91%E7%AC%94%E8%AE%B0_128116110.exe

C131535546F44F074AE5F5F6CC0BDA01

199E4D3CDD5EC4935D6FD26B6241F833D49FC8F3

978CFC152798AE12CF0B507E111F907D3691D62770A7A65FA1114950B1352533

3:N8NUEP4jNFjFzKLA8uAgRAgRKFSQ5mnAnBsbdA:2TP2o0BFmUzn2B

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Connects to CnC server

Changes settings of System certificates

Loads dropped or rewritten executable

Registers / Runs the DLL via REGSVR32.EXE

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Drops a file with a compile date too recent

Adds / modifies Windows certificates

Creates files in the Windows directory

Drops a file that was compiled in debug mode

Low-level read access rights to disk partition

Creates files in the user directory

Drops a file with too old compile date

Creates a directory in Program Files

Creates a software uninstall entry

Creates files in the program directory

Changes default file association

Creates/Modifies COM task schedule object

Starts Internet Explorer

Executed as Windows Service

Reads default file associations for system extensions

Application launched itself

Starts CMD.EXE for commands execution

Uses ICACLS.EXE to modify access control list

INFO

Application launched itself

Reads the hosts file

Dropped object may contain Bitcoin addresses

Changes internet zones settings

Reads internet explorer settings

Reads settings of System Certificates

Creates files in the user directory

Changes settings of System certificates

Adds / modifies Windows certificates

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity