URL:

http://www.downcc.com/soft/350689.html

Full analysis: https://app.any.run/tasks/57797fe6-ea2b-430d-bea1-7c51beaec3cf
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: October 24, 2019, 17:25:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
loader
adware
pup
pua
softcnapp
Indicators:
MD5:

E41F580E4220DF6F13CFEB57DAF71E15

SHA1:

B2FBB03FF13DA9FFE46916E5C4C045BD391F9EF2

SHA256:

DB49C4FDB414B9E167EE908FE771642F4076F71006E26BC7EFF41A1B2AA95B5A

SSDEEP:

3:N1KJS4BLdIKN7QuUJ:Cc4BZI8Q7J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 货币银行学易纲最新版_143_350689.exe (PID: 3388)
      • 货币银行学易纲最新版_143_350689.exe (PID: 1820)
      • 货币银行学易纲最新版_143_350689.exe (PID: 2692)
      • 1106.exe (PID: 3592)
      • iPDFSetup_V1015.exe (PID: 3564)
      • ReaderTransSvr.exe (PID: 2888)
      • ReaderTransSvr.exe (PID: 1916)
      • iPDF.exe (PID: 3600)
      • 1112.exe (PID: 3032)
      • iPDF.exe (PID: 3720)
      • setup_ksrjzs_ksrjzs52nodkpk_v1.0_silent.exe (PID: 2488)
      • transferCon.exe (PID: 3076)
      • UpdateChecker.exe (PID: 2892)
      • rjzscheck.exe (PID: 3220)
      • rjzstools.exe (PID: 3360)
      • SoftWareAssistor.exe (PID: 2484)
      • 1115.exe (PID: 3352)
      • rjzstools.exe (PID: 3100)
      • 1114.exe (PID: 3828)
      • Services.exe (PID: 1884)
      • rjzstools.exe (PID: 2200)
      • rjzstools.exe (PID: 3668)
      • Finder_Setup_4127703907_cml_001.exe (PID: 2188)
      • finder-service.exe (PID: 3044)
      • finder.exe (PID: 3956)
      • finder.exe (PID: 3616)
      • kuaisu-news3.exe (PID: 2788)
      • kuaisu-mini3.exe (PID: 2368)
      • finder.exe (PID: 2332)
      • finder-service.exe (PID: 3416)
      • finder-service.exe (PID: 3940)
      • Services.exe (PID: 2584)
      • WnZipPower32.exe (PID: 3136)
      • WnZipUtility.exe (PID: 2208)
      • WnZipVirtualCD.exe (PID: 1024)
      • WnZipPower32.exe (PID: 3424)
      • WnZipService.exe (PID: 1732)
      • rjzscheck.exe (PID: 920)
      • TimeHelp.exe (PID: 3992)
      • KuaiZip.exe (PID: 5400)
      • WnZipUtility.exe (PID: 4372)
      • WnZipUtility.exe (PID: 5416)
      • WnZipUtility.exe (PID: 2812)
      • WnZipUpd.exe (PID: 4824)

    • Downloads executable files from the Internet

      • chrome.exe (PID: 2184)
      • 货币银行学易纲最新版_143_350689.exe (PID: 3388)
      • 1106.exe (PID: 3592)
      • rjzstools.exe (PID: 3668)
      • rjzstools.exe (PID: 2200)
      • 1112.exe (PID: 3032)
      • 1114.exe (PID: 3828)
      • 1115.exe (PID: 3352)

    • SOFTCNAPP was detected

      • 货币银行学易纲最新版_143_350689.exe (PID: 2692)
      • WnZipUtility.exe (PID: 2208)
      • TimeHelp.exe (PID: 3992)
      • WnZipUtility.exe (PID: 5416)
      • WnZipUtility.exe (PID: 2812)

    • Loads dropped or rewritten executable

      • 1106.exe (PID: 3592)
      • ReaderTransSvr.exe (PID: 2888)
      • ReaderTransSvr.exe (PID: 1916)
      • regsvr32.exe (PID: 1892)
      • iPDF.exe (PID: 3600)
      • iPDFSetup_V1015.exe (PID: 3564)
      • iPDF.exe (PID: 3720)
      • SoftWareAssistor.exe (PID: 2484)
      • regsvr32.exe (PID: 2188)
      • finder.exe (PID: 3956)
      • regsvr32.exe (PID: 2632)
      • finder.exe (PID: 3616)
      • explorer.exe (PID: 352)
      • svchost.exe (PID: 864)
      • regsvr32.exe (PID: 2164)
      • finder.exe (PID: 2332)
      • WnZipPower32.exe (PID: 3424)
      • regsvr32.exe (PID: 3644)
      • regsvr32.exe (PID: 4028)
      • rjzscheck.exe (PID: 920)
      • svchost.exe (PID: 4432)
      • KuaiZip.exe (PID: 5400)
      • regsvr32.exe (PID: 2612)
      • WnZipUpd.exe (PID: 4824)

    • Registers / Runs the DLL via REGSVR32.EXE

      • iPDFSetup_V1015.exe (PID: 3564)
      • rjzstools.exe (PID: 3100)
      • Finder_Setup_4127703907_cml_001.exe (PID: 2188)
      • 1112.exe (PID: 3032)
      • 1115.exe (PID: 3352)
      • 1114.exe (PID: 3828)

    • Changes the autorun value in the registry

      • SoftWareAssistor.exe (PID: 2484)
      • finder.exe (PID: 3956)

    • Connects to CnC server

      • setup_ksrjzs_ksrjzs52nodkpk_v1.0_silent.exe (PID: 2488)
      • 1112.exe (PID: 3032)
      • 1115.exe (PID: 3352)
      • WnZipUtility.exe (PID: 2208)
      • 1114.exe (PID: 3828)
      • WnZipUtility.exe (PID: 4372)

    • Loads the Task Scheduler COM API

      • finder.exe (PID: 3956)
      • 1112.exe (PID: 3032)
      • 1115.exe (PID: 3352)
      • 1114.exe (PID: 3828)

    • Creates or modifies windows services

      • regsvr32.exe (PID: 2612)

  • SUSPICIOUS

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 1928)

    • Executed via COM

      • explorer.exe (PID: 1896)

    • Reads internet explorer settings

      • 货币银行学易纲最新版_143_350689.exe (PID: 3388)

    • Application launched itself

      • 货币银行学易纲最新版_143_350689.exe (PID: 3388)
      • WnZipPower32.exe (PID: 3136)
      • WnZipUtility.exe (PID: 2812)

    • Uses NETSTAT.EXE to discover network connections

      • cmd.exe (PID: 3088)

    • Starts CMD.EXE for commands execution

      • 货币银行学易纲最新版_143_350689.exe (PID: 3388)
      • iPDFSetup_V1015.exe (PID: 3564)

    • Creates files in the user directory

      • 货币银行学易纲最新版_143_350689.exe (PID: 2692)
      • 货币银行学易纲最新版_143_350689.exe (PID: 3388)
      • iPDFSetup_V1015.exe (PID: 3564)
      • ReaderTransSvr.exe (PID: 2888)
      • iPDF.exe (PID: 3720)
      • Finder_Setup_4127703907_cml_001.exe (PID: 2188)
      • rjzstools.exe (PID: 2200)
      • rjzstools.exe (PID: 3668)
      • finder.exe (PID: 2332)
      • 1112.exe (PID: 3032)
      • 1115.exe (PID: 3352)
      • 1114.exe (PID: 3828)

    • Searches for installed software

      • 货币银行学易纲最新版_143_350689.exe (PID: 2692)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 2184)
      • chrome.exe (PID: 1928)
      • 1106.exe (PID: 3592)
      • 货币银行学易纲最新版_143_350689.exe (PID: 3388)
      • iPDFSetup_V1015.exe (PID: 3564)
      • setup_ksrjzs_ksrjzs52nodkpk_v1.0_silent.exe (PID: 2488)
      • rjzstools.exe (PID: 2200)
      • rjzstools.exe (PID: 3668)
      • Finder_Setup_4127703907_cml_001.exe (PID: 2188)
      • 1112.exe (PID: 3032)
      • WnZipVirtualCD.exe (PID: 1024)
      • 1115.exe (PID: 3352)
      • 1114.exe (PID: 3828)

    • Changes the started page of IE

      • 货币银行学易纲最新版_143_350689.exe (PID: 2692)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 352)
      • explorer.exe (PID: 1896)
      • 货币银行学易纲最新版_143_350689.exe (PID: 3388)
      • iPDF.exe (PID: 3720)

    • Starts Internet Explorer

      • explorer.exe (PID: 352)

    • Low-level read access rights to disk partition

      • 1106.exe (PID: 3592)
      • Finder_Setup_4127703907_cml_001.exe (PID: 2188)
      • 1112.exe (PID: 3032)
      • 1114.exe (PID: 3828)
      • 1115.exe (PID: 3352)

    • Starts itself from another location

      • 货币银行学易纲最新版_143_350689.exe (PID: 3388)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 3436)
      • cmd.exe (PID: 2240)

    • Creates files in the program directory

      • iPDFSetup_V1015.exe (PID: 3564)
      • 货币银行学易纲最新版_143_350689.exe (PID: 3388)
      • WnZipUtility.exe (PID: 2208)

    • Creates a software uninstall entry

      • iPDFSetup_V1015.exe (PID: 3564)
      • setup_ksrjzs_ksrjzs52nodkpk_v1.0_silent.exe (PID: 2488)
      • Finder_Setup_4127703907_cml_001.exe (PID: 2188)
      • 1112.exe (PID: 3032)
      • WnZipUtility.exe (PID: 2208)

    • Executed as Windows Service

      • ReaderTransSvr.exe (PID: 2888)
      • Services.exe (PID: 1884)
      • finder-service.exe (PID: 3940)
      • WnZipService.exe (PID: 1732)

    • Creates files in the Windows directory

      • ReaderTransSvr.exe (PID: 2888)
      • svchost.exe (PID: 864)
      • WnZipVirtualCD.exe (PID: 1024)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 1892)
      • regsvr32.exe (PID: 2188)
      • regsvr32.exe (PID: 2164)
      • regsvr32.exe (PID: 2632)
      • WnZipPower32.exe (PID: 3424)
      • regsvr32.exe (PID: 4028)
      • regsvr32.exe (PID: 3644)

    • Modifies the open verb of a shell class

      • regsvr32.exe (PID: 1892)
      • iPDF.exe (PID: 3600)
      • WnZipUtility.exe (PID: 2208)
      • KuaiZip.exe (PID: 5400)

    • Creates files in the driver directory

      • WnZipVirtualCD.exe (PID: 1024)

    • Changes IE settings (feature browser emulation)

      • TimeHelp.exe (PID: 3992)

  • INFO

    • Reads the hosts file

      • chrome.exe (PID: 2184)
      • chrome.exe (PID: 1928)

    • Application launched itself

      • chrome.exe (PID: 1928)
      • iexplore.exe (PID: 3864)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 1928)
      • iexplore.exe (PID: 1956)
      • iexplore.exe (PID: 4056)
      • iexplore.exe (PID: 2540)

    • Manual execution by user

      • iexplore.exe (PID: 4040)
      • iPDF.exe (PID: 3720)

    • Changes internet zones settings

      • iexplore.exe (PID: 4040)
      • iexplore.exe (PID: 4080)
      • iexplore.exe (PID: 3864)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1956)
      • iexplore.exe (PID: 4056)
      • iexplore.exe (PID: 2540)

    • Creates files in the user directory

      • iexplore.exe (PID: 1956)
      • iexplore.exe (PID: 4056)
      • iexplore.exe (PID: 2540)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 4040)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 4040)

    • Changes settings of System certificates

      • iexplore.exe (PID: 4040)

    • Dropped object may contain Bitcoin addresses

      • 1112.exe (PID: 3032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
168
Monitored processes
112
Malicious processes
27
Suspicious processes
14

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs 货币银行学易纲最新版_143_350689.exe no specs 货币银行学易纲最新版_143_350689.exe chrome.exe no specs explorer.exe no specs explorer.exe no specs cmd.exe no specs cmd.exe no specs netstat.exe no specs findstr.exe no specs #SOFTCNAPP 货币银行学易纲最新版_143_350689.exe iexplore.exe iexplore.exe 1106.exe ipdfsetup_v1015.exe cmd.exe no specs cmd.exe no specs taskkill.exe no specs taskkill.exe no specs readertranssvr.exe no specs readertranssvr.exe regsvr32.exe no specs ipdf.exe no specs setup_ksrjzs_ksrjzs52nodkpk_v1.0_silent.exe 1112.exe cacls.exe no specs cacls.exe no specs cacls.exe no specs ipdf.exe updatechecker.exe no specs transfercon.exe rjzstools.exe no specs services.exe no specs rjzstools.exe no specs softwareassistor.exe services.exe regsvr32.exe no specs rjzscheck.exe finder_setup_4127703907_cml_001.exe 1115.exe 1114.exe rjzstools.exe regsvr32.exe no specs regsvr32.exe no specs rjzstools.exe finder.exe finder-service.exe no specs finder-service.exe no specs regsvr32.exe no specs finder-service.exe no specs regsvr32.exe no specs finder.exe explorer.exe kuaisu-mini3.exe no specs kuaisu-news3.exe no specs finder.exe svchost.exe #SOFTCNAPP wnziputility.exe iexplore.exe no specs iexplore.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs wnzippower32.exe wnzipvirtualcd.exe wnzippower32.exe no specs regsvr32.exe no specs regsvr32.exe no specs iexplore.exe no specs iexplore.exe wnzipservice.exe rjzscheck.exe regsvr32.exe no specs #SOFTCNAPP timehelp.exe #SOFTCNAPP wnziputility.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs svchost.exe no specs regsvr32.exe no specs kuaizip.exe no specs regsvr32.exe no specs wnziputility.exe #SOFTCNAPP wnziputility.exe wnzipupd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
284regsvr32.exe /s /u C:\Users\admin\AppData\Roaming\finder\finder-search-shellext.dllC:\Windows\system32\regsvr32.exeFinder_Setup_4127703907_cml_001.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
292"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,2159112643125025180,2329015755391564346,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=4975188652086040841 --mojo-platform-channel-handle=3196 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\winanr.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
392"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,2159112643125025180,2329015755391564346,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=91952895460676360 --mojo-platform-channel-handle=3620 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
864C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
920"C:\Users\admin\AppData\Roaming\ksrjzs\rjzscheck.exe" xxrunC:\Users\admin\AppData\Roaming\ksrjzs\rjzscheck.exe
explorer.exe
User:
admin
Company:
上海萌格电子商务有限公司
Integrity Level:
MEDIUM
Description:
快速软件助手
Exit code:
0
Version:
1.0
Modules
Images
c:\users\admin\appdata\roaming\ksrjzs\rjzscheck.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
940"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,2159112643125025180,2329015755391564346,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=2324600066433553403 --mojo-platform-channel-handle=2984 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
976"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,2159112643125025180,2329015755391564346,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=14192645804768826165 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1024"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,2159112643125025180,2329015755391564346,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=8642545473014503523 --mojo-platform-channel-handle=3148 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\75.0.3770.100\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
1024"C:\Program Files\WanNengZip\WnZipVirtualCD.exe" /installC:\Program Files\WanNengZip\WnZipVirtualCD.exe
WnZipUtility.exe
User:
admin
Company:
www.wn51.com
Integrity Level:
HIGH
Description:
虚拟光盘
Exit code:
0
Version:
1.0.0.11031
Modules
Images
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\secur32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\webio.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\dwrite.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wtsapi32.dll
Total events
15 948
Read events
12 505
Write events
3 375
Delete events
68

Modification events

(PID) Process:(352) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1928) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(1928) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(1928) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
(PID) Process:(1928) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty
Operation:writeName:StatusCodes
Value:
01000000
(PID) Process:(1928) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(2424) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:writeName:1928-13216411534241125
Value:
259
(PID) Process:(1928) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:writeName:dr
Value:
1
(PID) Process:(1928) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome
Operation:writeName:UsageStatsInSample
Value:
0
(PID) Process:(1928) chrome.exeKey:HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes
Operation:delete valueName:1512-13197841398593750
Value:
0
Executable files
159
Suspicious files
88
Text files
1 741
Unknown types
51

Dropped files

PID
Process
Filename
Type
1928chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\cd61bf94-3d87-4060-b0f9-b2b65163cae2.tmp
MD5:
SHA256:
1928chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp
MD5:
SHA256:
1928chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.old
MD5:
SHA256:
864svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:
SHA256:
1928chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:
SHA256:
1928chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
MD5:
SHA256:
1928chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:
SHA256:
1928chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:
SHA256:
1928chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
1928chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.oldtext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
290
TCP/UDP connections
298
DNS requests
120
Threats
61

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2184
chrome.exe
GET
200
47.75.61.68:80
http://www.downcc.com/inc/downcc.js
US
text
15.2 Kb
malicious
2184
chrome.exe
GET
200
47.75.61.68:80
http://www.downcc.com/inc/SoftLinkType.js
US
text
1.25 Kb
malicious
2184
chrome.exe
GET
200
47.75.61.68:80
http://www.downcc.com/statics/js/down.js
US
html
3.25 Kb
malicious
2184
chrome.exe
GET
200
47.75.61.68:80
http://www.downcc.com/js/main.js
US
text
21.8 Kb
malicious
2184
chrome.exe
GET
200
175.100.207.232:80
http://pv.sohu.com/cityjson
HK
text
84 b
malicious
2184
chrome.exe
GET
200
47.75.61.68:80
http://www.downcc.com/statics/jquery.js
US
text
90.3 Kb
malicious
2184
chrome.exe
GET
301
47.75.61.68:80
http://pic.downcc.com/upload/2017-10/20171081358148513.jpg
US
html
169 b
malicious
2184
chrome.exe
GET
200
47.75.61.68:80
http://www.downcc.com/skin/gr/images/c_bad.png
US
image
521 b
malicious
2184
chrome.exe
GET
301
47.75.61.68:80
http://pic.downcc.com/skin/img/pdf.jpg
US
html
169 b
malicious
2184
chrome.exe
GET
301
47.75.61.68:80
http://pic.downcc.com/upload/2018-1/20181221414303307.jpg
US
html
169 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2184
chrome.exe
172.217.18.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2184
chrome.exe
216.58.205.237:443
accounts.google.com
Google Inc.
US
whitelisted
2184
chrome.exe
47.75.61.68:80
www.downcc.com
US
unknown
2184
chrome.exe
216.58.208.36:443
www.google.com
Google Inc.
US
whitelisted
2184
chrome.exe
175.100.207.232:80
pv.sohu.com
ISP
HK
malicious
2184
chrome.exe
113.96.178.35:443
cpro.baidustatic.com
No.31,Jin-rong Street
CN
suspicious
2184
chrome.exe
61.184.202.19:80
pic.xiazaicc.com
No.31,Jin-rong Street
CN
unknown
2184
chrome.exe
216.58.208.35:443
ssl.gstatic.com
Google Inc.
US
whitelisted
2184
chrome.exe
13.35.253.113:443
jspassport.ssl.qhimg.com
US
suspicious
2184
chrome.exe
143.204.214.25:443
s.ssl.qhres.com
US
suspicious

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.18.99
whitelisted
www.downcc.com
  • 47.75.61.68
malicious
accounts.google.com
  • 216.58.205.237
shared
pic.downcc.com
  • 47.75.61.68
malicious
www.google.com
  • 216.58.208.36
malicious
pv.sohu.com
  • 175.100.207.232
  • 175.100.207.231
  • 175.100.207.233
malicious
js.downcc.com
  • 218.92.216.80
unknown
cpro.baidustatic.com
  • 113.96.178.35
whitelisted
pic.xiazaicc.com
  • 61.184.202.19
malicious
ssl.gstatic.com
  • 216.58.208.35
whitelisted

Threats

PID
Process
Class
Message
2184
chrome.exe
Misc activity
SUSPICIOUS [PTsecurity] sohu.com External IP Check
2184
chrome.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3388
货币银行学易纲最新版_143_350689.exe
Misc activity
SUSPICIOUS [PTsecurity] External IP Check
3388
货币银行学易纲最新版_143_350689.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2692
货币银行学易纲最新版_143_350689.exe
Misc activity
ADWARE [PTsecurity] Softcnapp.J PUP
2692
货币银行学易纲最新版_143_350689.exe
Misc activity
ADWARE [PTsecurity] PUA.Softcnapp payload
2692
货币银行学易纲最新版_143_350689.exe
Misc activity
ADWARE [PTsecurity] Softcnapp.J PUP
2692
货币银行学易纲最新版_143_350689.exe
Misc activity
ADWARE [PTsecurity] PUA.Softcnapp payload
3592
1106.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3592
1106.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
25 ETPRO signatures available at the full report
Process
Message
货币银行学易纲最新版_143_350689.exe
DownloadApp_begin
iPDFSetup_V1015.exe
error At "CWMIInterface Construction CoInitializeEx"
ReaderTransSvr.exe
C:\Windows\TEMP\Sea843F.tmp
ReaderTransSvr.exe
C:\Users\admin\AppData\Roaming\iPDF\SearchIndexTable.sqlite
ReaderTransSvr.exe
C:\Users\admin\AppData\Roaming\iPDF\SearchIndexTable.sqlitetmp
ReaderTransSvr.exe
C:\Users\admin\AppData\Roaming\iPDF\SearchIndexTable.sqlite
ReaderTransSvr.exe
C:\Users\admin\AppData\Roaming\iPDF\SearchIndexTable.sqlitetmp
ReaderTransSvr.exe
ReopenDataFile
ReaderTransSvr.exe
C:\Windows\TEMP\Sea843F.tmp
Services.exe
nTimes = 0
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.downcc.com/soft/350689.html