URL:

http://app.iqiyi.com/pc/player/index.html

Full analysis: https://app.any.run/tasks/e3e8fef8-022c-44d0-9325-04f49a6db113
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 23, 2020, 04:01:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

D5A41783688EA6C6539ABE295DB8B5F1

SHA1:

54A264DC33ABE2F940C9F6EF71D1622210680E87

SHA256:

A089B07B705F7A219D308F27C2A1A3219E335302A1D336CA2F57CD9C20D2F5E8

SSDEEP:

3:N1KfNFKj1AaMLBaG:ClFwAcG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • IQIYIsetup_app.exe (PID: 1064)
      • QiyiDACL.exe (PID: 3816)
      • QiyiDACL.exe (PID: 4044)
      • rndhelper.exe (PID: 2512)
      • QiyiService.exe (PID: 600)
      • QyFragment.exe (PID: 916)
      • QiyiService.exe (PID: 2516)
      • QyFragment.exe (PID: 2592)
      • QyClient.exe (PID: 3932)
      • QyFragment.exe (PID: 3008)
      • QyKernel.exe (PID: 2880)
      • QyUpdate.exe (PID: 3016)
      • QyFragment.exe (PID: 3608)
      • QyFragment.exe (PID: 1536)
      • QyPlayer.exe (PID: 2284)
      • QyPlayer.exe (PID: 2800)
      • QyFragment.exe (PID: 3796)
      • QyFragment.exe (PID: 3060)
      • QyFragment.exe (PID: 3368)
      • QyFragment.exe (PID: 2884)
      • rundll32.exe (PID: 5432)

    • Application was dropped or rewritten from another process

      • IQIYIsetup_app.exe (PID: 1064)
      • nsEBBA.tmp (PID: 2360)
      • nsCC79.tmp (PID: 2624)
      • IQIYIsetup_app.exe (PID: 3812)
      • nsC999.tmp (PID: 576)
      • nsF10A.tmp (PID: 4056)
      • QiyiService.exe (PID: 600)
      • QyFragment.exe (PID: 2592)
      • QiyiDACL.exe (PID: 3816)
      • QyFragment.exe (PID: 916)
      • QiyiDACL.exe (PID: 4044)
      • QiyiService.exe (PID: 2516)
      • QyClient.exe (PID: 3932)
      • rndhelper.exe (PID: 2512)
      • QyFragment.exe (PID: 3008)
      • QyUpdate.exe (PID: 3016)
      • QyKernel.exe (PID: 2880)
      • QyFragment.exe (PID: 3608)
      • QyFragment.exe (PID: 1536)
      • QyPlayer.exe (PID: 2800)
      • QyFragment.exe (PID: 3796)
      • QyFragment.exe (PID: 3060)
      • QyFragment.exe (PID: 2884)
      • QyPlayer.exe (PID: 2284)
      • QyFragment.exe (PID: 3368)

    • Actions looks like stealing of personal data

      • IQIYIsetup_app.exe (PID: 1064)
      • QyClient.exe (PID: 3932)
      • QyPlayer.exe (PID: 2284)

    • Downloads executable files from the Internet

      • chrome.exe (PID: 1200)
      • QyKernel.exe (PID: 2880)

    • Adds new firewall rule via NETSH.EXE

      • IQIYIsetup_app.exe (PID: 1064)

    • Changes the autorun value in the registry

      • IQIYIsetup_app.exe (PID: 1064)

    • Changes settings of System certificates

      • QyPlayer.exe (PID: 2284)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2620)
      • IQIYIsetup_app.exe (PID: 1064)
      • QyKernel.exe (PID: 2880)
      • QyClient.exe (PID: 3932)

    • Starts SC.EXE for service management

      • nsCC79.tmp (PID: 2624)
      • nsC999.tmp (PID: 576)
      • QyFragment.exe (PID: 3608)

    • Modifies the open verb of a shell class

      • IQIYIsetup_app.exe (PID: 1064)

    • Creates files in the program directory

      • rndhelper.exe (PID: 2512)
      • QyFragment.exe (PID: 3608)
      • QyFragment.exe (PID: 3796)
      • IQIYIsetup_app.exe (PID: 1064)
      • QyKernel.exe (PID: 2880)
      • QyClient.exe (PID: 3932)

    • Starts application with an unusual extension

      • IQIYIsetup_app.exe (PID: 1064)

    • Reads Environment values

      • IQIYIsetup_app.exe (PID: 1064)

    • Creates files in the user directory

      • IQIYIsetup_app.exe (PID: 1064)
      • QyFragment.exe (PID: 916)
      • QyUpdate.exe (PID: 3016)
      • QyFragment.exe (PID: 3608)
      • QyKernel.exe (PID: 2880)
      • QyFragment.exe (PID: 1536)
      • QyPlayer.exe (PID: 2800)
      • QyFragment.exe (PID: 3796)
      • QyPlayer.exe (PID: 2284)
      • QyClient.exe (PID: 3932)
      • QyFragment.exe (PID: 3368)

    • Creates files in the Windows directory

      • IQIYIsetup_app.exe (PID: 1064)

    • Uses NETSH.EXE for network configuration

      • IQIYIsetup_app.exe (PID: 1064)

    • Changes IE settings (feature browser emulation)

      • IQIYIsetup_app.exe (PID: 1064)

    • Creates a software uninstall entry

      • IQIYIsetup_app.exe (PID: 1064)

    • Executed as Windows Service

      • QiyiService.exe (PID: 2516)

    • Reads Internet Cache Settings

      • QyFragment.exe (PID: 3008)
      • QyClient.exe (PID: 3932)
      • QyPlayer.exe (PID: 2284)
      • QyFragment.exe (PID: 3060)
      • QyFragment.exe (PID: 2884)
      • QyFragment.exe (PID: 3368)
      • rundll32.exe (PID: 5432)

    • Reads the cookies of Google Chrome

      • QyClient.exe (PID: 3932)
      • QyPlayer.exe (PID: 2284)

    • Reads the cookies of Mozilla Firefox

      • QyClient.exe (PID: 3932)

    • Application launched itself

      • QyFragment.exe (PID: 3608)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2620)

    • Uses RUNDLL32.EXE to load library

      • QyClient.exe (PID: 3932)

  • INFO

    • Reads the hosts file

      • chrome.exe (PID: 2620)
      • chrome.exe (PID: 1200)

    • Dropped object may contain Bitcoin addresses

      • IQIYIsetup_app.exe (PID: 1064)
      • QyClient.exe (PID: 3932)

    • Reads settings of System Certificates

      • chrome.exe (PID: 1200)
      • QyPlayer.exe (PID: 2284)

    • Application launched itself

      • chrome.exe (PID: 2620)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 2620)

    • Manual execution by user

      • QyFragment.exe (PID: 2592)
      • QyClient.exe (PID: 3932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
120
Monitored processes
64
Malicious processes
24
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs iqiyisetup_app.exe no specs iqiyisetup_app.exe nsc999.tmp no specs sc.exe no specs nscc79.tmp no specs sc.exe no specs qiyidacl.exe no specs qiyidacl.exe no specs nsebba.tmp no specs rndhelper.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs netsh.exe no specs nsf10a.tmp no specs qiyiservice.exe no specs qiyiservice.exe qyfragment.exe qyfragment.exe no specs qyclient.exe qyfragment.exe no specs qyupdate.exe qykernel.exe qyfragment.exe qyfragment.exe qyplayer.exe sc.exe no specs qyplayer.exe qyfragment.exe qyfragment.exe no specs qyfragment.exe no specs qyfragment.exe no specs tracert.exe no specs dxdiag.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
116"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=996,12782109367461976750,2876491159310191514,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=9907461883275646607 --mojo-platform-channel-handle=1008 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
392"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="爱奇艺短视频" dir=in program="C:\Program Files\IQIYI Video\LStyle\7.6.114.1948\QYAppPlugin\xPlayer\QyClient.exe" action=allow description="C:\Program Files\IQIYI Video\LStyle\7.6.114.1948\QYAppPlugin\xPlayer\QyClient.exe"C:\Windows\system32\netsh.exeIQIYIsetup_app.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\netsh.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
576"C:\Users\admin\AppData\Local\Temp\nsd9615.tmp\nsC999.tmp" sc stop QiyiServiceC:\Users\admin\AppData\Local\Temp\nsd9615.tmp\nsC999.tmpIQIYIsetup_app.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1060
Modules
Images
c:\users\admin\appdata\local\temp\nsd9615.tmp\nsc999.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
600"C:\Program Files\IQIYI Video\LStyle\7.6.114.1948\QiyiService.exe" -iC:\Program Files\IQIYI Video\LStyle\7.6.114.1948\QiyiService.exensF10A.tmp
User:
admin
Company:
BEIJING QIYI CENTURY SCIENCE&TECHNOLOGY CO.,LTD.
Integrity Level:
HIGH
Description:
爱奇艺视频平台服务
Exit code:
1
Version:
7.6.114.1948
Modules
Images
c:\program files\iqiyi video\lstyle\7.6.114.1948\qiyiservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\userenv.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\profapi.dll
c:\windows\system32\version.dll
916"C:\Program Files\IQIYI Video\LStyle\7.6.114.1948\QyFragment.exe" --runmode=makeppstat --ppsdat=010110111592885019C:\Program Files\IQIYI Video\LStyle\7.6.114.1948\QyFragment.exe
IQIYIsetup_app.exe
User:
admin
Company:
爱奇艺
Integrity Level:
HIGH
Description:
爱奇艺视频辅助程序
Exit code:
0
Version:
7.6.114.1948
Modules
Images
c:\program files\iqiyi video\lstyle\7.6.114.1948\qyfragment.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\iqiyi video\lstyle\7.6.114.1948\quilib.dll
c:\program files\iqiyi video\lstyle\7.6.114.1948\gbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winmm.dll
1064"C:\Users\admin\Downloads\IQIYIsetup_app.exe" C:\Users\admin\Downloads\IQIYIsetup_app.exe
chrome.exe
User:
admin
Company:
爱奇艺
Integrity Level:
HIGH
Description:
爱奇艺 安装程序
Exit code:
0
Version:
7.6.114.1948
Modules
Images
c:\users\admin\downloads\iqiyisetup_app.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1200"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=996,12782109367461976750,2876491159310191514,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=8752996682222560097 --mojo-platform-channel-handle=1644 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1536"C:\Program Files\IQIYI Video\LStyle\7.6.114.1948\QyFragment.exe" --runmode=bubbleC:\Program Files\IQIYI Video\LStyle\7.6.114.1948\QyFragment.exe
QyFragment.exe
User:
admin
Company:
爱奇艺
Integrity Level:
MEDIUM
Description:
爱奇艺视频辅助程序
Exit code:
0
Version:
7.6.114.1948
Modules
Images
c:\program files\iqiyi video\lstyle\7.6.114.1948\qyfragment.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\iqiyi video\lstyle\7.6.114.1948\quilib.dll
c:\program files\iqiyi video\lstyle\7.6.114.1948\gbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\psapi.dll
c:\windows\system32\winmm.dll
2032sc delete QiyiServiceC:\Windows\system32\sc.exensCC79.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
A tool to aid in developing services for WindowsNT
Exit code:
1060
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2072"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=996,12782109367461976750,2876491159310191514,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=93492862848314011 --mojo-platform-channel-handle=500 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
Total events
3 099
Read events
2 320
Write events
758
Delete events
21

Modification events

(PID) Process:(2620) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(2620) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(2620) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(2620) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(2620) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2148) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:2620-13237358527457875
Value:
259
(PID) Process:(2620) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(2620) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(2620) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:3120-13213713943555664
Value:
0
(PID) Process:(2620) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:2620-13237358527457875
Value:
259
Executable files
316
Suspicious files
215
Text files
3 189
Unknown types
42

Dropped files

PID
Process
Filename
Type
2620chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5EF17EC0-A3C.pma
MD5:
SHA256:
2620chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\400faf3c-ca09-498f-9b70-5ec6cb04a2cb.tmp
MD5:
SHA256:
2620chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000028.dbtmp
MD5:
SHA256:
2620chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:
SHA256:
2620chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF109e07.TMPtext
MD5:
SHA256:
2620chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.oldtext
MD5:
SHA256:
2620chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:
SHA256:
2620chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RF109e45.TMPtext
MD5:
SHA256:
2620chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
MD5:
SHA256:
2620chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old~RF109ffb.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
720
TCP/UDP connections
692
DNS requests
268
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1200
chrome.exe
GET
200
104.108.35.180:80
http://stc.iqiyipic.com/js/lib/sea1.2.jenkins-feLibRelease-100.js
NL
text
90.0 Kb
unknown
1200
chrome.exe
GET
200
104.108.35.180:80
http://stc.iqiyipic.com/gaze/uniqy/main/css/pageCommon.770f793a.css
NL
text
15.8 Kb
unknown
1200
chrome.exe
GET
200
104.108.35.180:80
http://www.iqiyipic.com/common/fix/site-v4/app/screenshot-win2.png
NL
image
96.4 Kb
suspicious
1200
chrome.exe
GET
200
104.108.35.180:80
http://www.iqiyipic.com/common/fix/site-v4/app/screenshot-win1.png
NL
image
134 Kb
suspicious
1200
chrome.exe
GET
200
104.108.35.180:80
http://www.iqiyipic.com/common/fix/site-v4/app/screenshot-win3.png
NL
image
111 Kb
suspicious
1200
chrome.exe
GET
200
104.108.35.180:80
http://stc.iqiyipic.com/gaze/uniqy/main/css/app.39b421dd.css
NL
text
6.88 Kb
unknown
1200
chrome.exe
GET
200
104.108.35.180:80
http://www.iqiyipic.com/common/fix/site-v4/sprite-headLogo-nonIndex.png
NL
image
4.92 Kb
suspicious
1200
chrome.exe
GET
200
104.108.35.180:80
http://www.iqiyipic.com/common/fix/appSr-images/bannerBg-pc.png
NL
image
90.1 Kb
suspicious
1200
chrome.exe
GET
200
104.108.35.180:80
http://www.iqiyipic.com/common/fix/site-v4/app/screenshot-win4.png
NL
image
119 Kb
suspicious
1200
chrome.exe
GET
200
104.108.35.180:80
http://www.iqiyipic.com/common/fix/site-v4/app/yuan-win2.png
NL
image
12.9 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1200
chrome.exe
180.101.49.201:80
cpro.baidu.com
CHINANET Nanjing IDC network
CN
suspicious
1200
chrome.exe
111.202.114.38:80
datax.baidu.com
China Unicom Beijing Province Network
CN
unknown
1200
chrome.exe
118.26.32.10:443
cook.iqiyi.com
CN
unknown
1200
chrome.exe
123.125.84.232:80
search.video.iqiyi.com
China Unicom Beijing Province Network
CN
unknown
1200
chrome.exe
172.217.23.163:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
1200
chrome.exe
216.58.208.45:443
accounts.google.com
Google Inc.
US
whitelisted
1200
chrome.exe
36.110.209.201:80
app.iqiyi.com
IDC, China Telecommunications Corporation
CN
malicious
1200
chrome.exe
104.108.35.180:80
stc.iqiyipic.com
Akamai Technologies, Inc.
NL
unknown
1200
chrome.exe
111.206.13.64:80
security.iqiyi.com
China Unicom Beijing Province Network
CN
unknown
1200
chrome.exe
104.108.67.239:80
static.qiyi.com
Akamai Technologies, Inc.
NL
whitelisted

DNS requests

Domain
IP
Reputation
app.iqiyi.com
  • 36.110.209.201
  • 36.110.209.200
suspicious
clientservices.googleapis.com
  • 172.217.23.163
whitelisted
accounts.google.com
  • 216.58.208.45
shared
stc.iqiyipic.com
  • 104.108.35.180
unknown
www.iqiyipic.com
  • 104.108.35.180
suspicious
security.iqiyi.com
  • 111.206.13.64
  • 111.206.13.63
suspicious
static.qiyi.com
  • 104.108.67.239
suspicious
aipindao.iqiyi.com
  • 111.206.13.64
  • 111.206.13.63
unknown
auto.iqiyi.com
  • 111.206.13.64
  • 111.206.13.63
unknown
baby.iqiyi.com
  • 111.206.13.64
  • 111.206.13.63
suspicious

Threats

PID
Process
Class
Message
1200
chrome.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1200
chrome.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1064
IQIYIsetup_app.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (HttpDownload)
2516
QiyiService.exe
A Network Trojan was detected
ET USER_AGENTS Suspicious User-Agent (HttpDownload)
2880
QyKernel.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2880
QyKernel.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2284
QyPlayer.exe
Potential Corporate Privacy Violation
ET POLICY Outdated Flash Version M1
2284
QyPlayer.exe
Potential Corporate Privacy Violation
ET POLICY Outdated Flash Version M1
3608
QyFragment.exe
A Network Trojan was detected
ET MALWARE Alexa Search Toolbar User-Agent 2 (Alexa Toolbar)
6 ETPRO signatures available at the full report
Process
Message
IQIYIsetup_app.exe
configFileName:C:\Users\Public\QiYi\QiyiHCDN\Config\psnetwork.ini
IQIYIsetup_app.exe
configFileName:C:\Users\Public\QiYi\QiyiHCDN\Config\psnetwork.ini
IQIYIsetup_app.exe
NVIDIA Api not initialized
IQIYIsetup_app.exe
NVIDIA Api not initialized
IQIYIsetup_app.exe
NVIDIA Api not initialized
QiyiService.exe
configFileName:C:\Users\Public\QiYi\QiyiHCDN\Config\psnetwork.ini
QiyiService.exe
configFileName:C:\Users\Public\QiYi\QiyiHCDN\Config\psnetwork.ini
QyFragment.exe
configFileName:C:\Users\Public\QiYi\QiyiHCDN\Config\psnetwork.ini
QyClient.exe
configFileName:C:\Users\Public\QiYi\QiyiHCDN\Config\psnetwork.ini
QyClient.exe
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://app.iqiyi.com/pc/player/index.html