download:

yunqishionekey.exe

Full analysis: https://app.any.run/tasks/df1c599b-749b-4abc-8a87-f26ddec73c9f
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: July 04, 2020, 09:45:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

B4B013FBF8A070FA8DEC4AAC2D827015

SHA1:

4AEB2E3744DB3B6ED6AE7E2DFE286D2313848F27

SHA256:

E2DAD370FB18E2D0114DF1E16720A137B9047044B33999BACFDDFCEC8BD42D14

SSDEEP:

393216:pgch/bIJHmhHRp8s9ghTMCi3B57+vyzix5JmcfgbClcvdv+2HE5nqCRag8PADkXq:XRpt9gt2xj9hbClgp+T5nRa3AwX2v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • yunqishionekey.exe (PID: 2148)

  • SUSPICIOUS

    • Creates a software uninstall entry

      • yunqishionekey.exe (PID: 2148)

    • Executable content was dropped or overwritten

      • yunqishionekey.exe (PID: 2148)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:03:20 10:51:13+01:00
PEType: PE32
LinkerVersion: 12
CodeSize: 3228160
InitializedDataSize: 24976384
UninitializedDataSize: -
EntryPoint: 0x29dba5
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 12.7.48.1860
ProductVersionNumber: 12.7.48.1860
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
CompanyName: 广州天行客网络科技有限公司
FileDescription: 一款帮助用户快速装机的软件
FileVersion: 12.7.48.1860
LegalCopyright: Copyright © 2016-2020 YunQiShi.Net
ProductName: 云骑士装机大师
ProductVersion: 12.7.48.1860

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Mar-2020 09:51:13
Detected languages:
  • Chinese - PRC
  • English - United States
CompanyName: 广州天行客网络科技有限公司
FileDescription: 一款帮助用户快速装机的软件
FileVersion: 12.7.48.1860
LegalCopyright: Copyright © 2016-2020 YunQiShi.Net
ProductName: 云骑士装机大师
ProductVersion: 12.7.48.1860

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000110

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 20-Mar-2020 09:51:13
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00314038
0x00314200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.53592
.rdata
0x00316000
0x0007DDBE
0x0007DE00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.97185
.data
0x00394000
0x00037640
0x0002D200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.27553
.vmp0
0x003CC000
0x0007F770
0x0007F800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.67985
.reloc
0x0044C000
0x00033394
0x00033400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.71457
.rsrc
0x00480000
0x016E8AB0
0x016E8C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.97751

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.06216
651
UNKNOWN
English - United States
RT_MANIFEST
2
3.91737
16936
UNKNOWN
Chinese - PRC
RT_ICON
3
4.23282
9640
UNKNOWN
Chinese - PRC
RT_ICON
4
4.78708
4264
UNKNOWN
Chinese - PRC
RT_ICON
5
5.53484
1128
UNKNOWN
Chinese - PRC
RT_ICON
6
3.02695
308
UNKNOWN
Chinese - PRC
RT_CURSOR
7
2.74274
180
UNKNOWN
Chinese - PRC
RT_CURSOR
8
2.34038
308
UNKNOWN
Chinese - PRC
RT_CURSOR
9
2.34004
308
UNKNOWN
Chinese - PRC
RT_CURSOR
10
2.51649
308
UNKNOWN
Chinese - PRC
RT_CURSOR

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
CRYPT32.dll
GDI32.dll
IMM32.dll
IPHLPAPI.DLL
KERNEL32.dll
MSIMG32.dll
OLEACC.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start yunqishionekey.exe yunqishionekey.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2148"C:\Users\admin\AppData\Local\Temp\yunqishionekey.exe" C:\Users\admin\AppData\Local\Temp\yunqishionekey.exe
explorer.exe
User:
admin
Company:
广州天行客网络科技有限公司
Integrity Level:
HIGH
Description:
一款帮助用户快速装机的软件
Exit code:
0
Version:
12.7.48.1860
Modules
Images
c:\users\admin\appdata\local\temp\yunqishionekey.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3072"C:\Users\admin\AppData\Local\Temp\yunqishionekey.exe" C:\Users\admin\AppData\Local\Temp\yunqishionekey.exeexplorer.exe
User:
admin
Company:
广州天行客网络科技有限公司
Integrity Level:
MEDIUM
Description:
一款帮助用户快速装机的软件
Exit code:
0
Version:
12.7.48.1860
Total events
360
Read events
348
Write events
12
Delete events
0

Modification events

(PID) Process:(2148) yunqishionekey.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0087-0030-00FF-00E5-0041-009A-006C-00EF}
Operation:writeName:DisplayIcon
Value:
C:\Users\admin\AppData\Local\Temp\yunqishionekey.exe
(PID) Process:(2148) yunqishionekey.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0087-0030-00FF-00E5-0041-009A-006C-00EF}
Operation:writeName:DisplayName
Value:
云骑士装机大师
(PID) Process:(2148) yunqishionekey.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0087-0030-00FF-00E5-0041-009A-006C-00EF}
Operation:writeName:DisplayVersion
Value:
12.7.48.1860
(PID) Process:(2148) yunqishionekey.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0087-0030-00FF-00E5-0041-009A-006C-00EF}
Operation:writeName:InstallLocation
Value:
C:\Users\admin\Documents\YunQiShi\
(PID) Process:(2148) yunqishionekey.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0087-0030-00FF-00E5-0041-009A-006C-00EF}
Operation:writeName:Language
Value:
2052
(PID) Process:(2148) yunqishionekey.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0087-0030-00FF-00E5-0041-009A-006C-00EF}
Operation:writeName:NoModify
Value:
1
(PID) Process:(2148) yunqishionekey.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0087-0030-00FF-00E5-0041-009A-006C-00EF}
Operation:writeName:NoRepair
Value:
1
(PID) Process:(2148) yunqishionekey.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0087-0030-00FF-00E5-0041-009A-006C-00EF}
Operation:writeName:EstimatedSize
Value:
28028
(PID) Process:(2148) yunqishionekey.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0087-0030-00FF-00E5-0041-009A-006C-00EF}
Operation:writeName:Publisher
Value:
一款帮助用户快速装机的软件
(PID) Process:(2148) yunqishionekey.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0087-0030-00FF-00E5-0041-009A-006C-00EF}
Operation:writeName:UninstallString
Value:
C:\Users\admin\Documents\YunQiShi\uninstall.exe
Executable files
3
Suspicious files
0
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
2148yunqishionekey.exeC:\Users\admin\Documents\YunQiShi\Work\Config\Config.dat-journal
MD5:
SHA256:
2148yunqishionekey.exeC:\Users\admin\Documents\YunQiShi\Work\Dependency\Zlib.zip
MD5:
SHA256:
2148yunqishionekey.exeC:\Users\Public\Desktop\云骑士装机大师.lnklnk
MD5:
SHA256:
2148yunqishionekey.exeC:\Users\admin\Documents\YunQiShi\uninstall.configtext
MD5:
SHA256:
2148yunqishionekey.exeC:\Users\admin\Documents\YunQiShi\Work\Dependency\DDUtility.dllexecutable
MD5:
SHA256:
2148yunqishionekey.exeC:\Users\admin\Documents\YunQiShi\Work\Dependency\Zlib.dllexecutable
MD5:95E516F62A90DC204B41A8CFD3C68F4C
SHA256:0A6FCB2B46FB128C6EFC62BBBF49BD45BBF6FD2A186AE850F6D0AD932BA5B5D8
2148yunqishionekey.exeC:\Users\admin\Documents\YunQiShi\Work\Dependency\DMMUtility.dllexecutable
MD5:BC3AACB46A45E68C3CB467E039B1ED1E
SHA256:2A220CC9FFD1A90DE0E2DBFA079A9A2DB1721E374FA922BBE7828CE120695938
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
119
TCP/UDP connections
115
DNS requests
66
Threats
27

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
103.205.6.71:80
http://down.ci43.com/yunqishi_uefi.exe
CN
suspicious
GET
103.205.6.71:80
http://down.ci43.com/yunqishi_uefi.exe
CN
suspicious
GET
103.205.6.71:80
http://down.ci43.com/yunqishi_uefi.exe
CN
suspicious
GET
103.205.6.71:80
http://down.ci43.com/yunqishi_uefi.exe
CN
suspicious
GET
103.205.6.71:80
http://down.ci43.com/yunqishi_uefi.exe
CN
suspicious
GET
103.205.6.71:80
http://down.ci43.com/yunqishi_uefi.exe
CN
suspicious
POST
200
47.106.157.182:8972
http://tj.driverzj.com:8972/api/request
CN
text
54 b
unknown
POST
200
47.106.157.182:8972
http://tj.driverzj.com:8972/api/request
CN
text
54 b
unknown
POST
200
47.106.157.182:8972
http://tj.driverzj.com:8972/api/request
CN
text
54 b
unknown
POST
200
140.206.225.136:80
http://140.206.225.136:80/
CN
fli
28 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
47.92.100.53:8000
hub5pnc.hz.sandai.net
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious
47.106.157.182:8972
tj.driverzj.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
140.206.225.138:80
hub5c.hz.sandai.net
China Unicom Shanghai network
CN
malicious
211.91.242.38:8000
hub5pn.hz.sandai.net
CN
unknown
47.97.7.140:80
pmap.hz.sandai.net
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious
120.76.246.204:8091
zhu.wuyouxitong.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
47.92.125.145:80
hub5pr.hz.sandai.net
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious
39.98.57.143:8000
hub5u.hz.sandai.net
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
47.92.100.53:8002
hub5pnc.hz.sandai.net
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious
140.206.225.136:80
hubstat.hz.sandai.net
China Unicom Shanghai network
CN
malicious

DNS requests

Domain
IP
Reputation
tj.driverzj.com
  • 47.106.157.182
unknown
hub5pnc.hz.sandai.net
  • 47.92.100.53
  • 47.92.99.221
malicious
hub5pn.hz.sandai.net
  • 211.91.242.38
  • 118.212.146.20
  • 118.212.146.21
  • 61.135.179.34
  • 153.3.232.175
  • 58.144.251.1
  • 61.135.179.35
  • 211.91.242.37
  • 153.3.232.174
  • 157.255.225.49
  • 157.255.225.53
  • 58.144.251.2
unknown
hub5c.hz.sandai.net
  • 140.206.225.244
  • 123.125.221.6
  • 123.125.221.44
  • 123.125.221.72
  • 140.206.225.169
  • 140.206.225.138
malicious
pmap.hz.sandai.net
  • 47.97.7.140
malicious
hub5u.hz.sandai.net
  • 39.98.57.143
  • 39.100.9.39
  • 47.92.75.245
unknown
relay.phub.hz.sandai.net
whitelisted
zhu.wuyouxitong.com
  • 120.76.246.204
unknown
hub5pr.hz.sandai.net
  • 47.92.125.145
  • 47.92.169.85
  • 47.92.39.6
  • 47.92.194.216
  • 47.92.171.207
  • 47.92.195.246
unknown
imhub5pr.hz.sandai.net
unknown

Threats

PID
Process
Class
Message
Misc activity
ADWARE [PTsecurity] Win32.Downloader (Sogou/Chindo)
Misc activity
ADWARE [PTsecurity] Win32.Downloader (Sogou/Chindo)
Misc activity
ADWARE [PTsecurity] Win32.Downloader (Sogou/Chindo)
Misc activity
ADWARE [PTsecurity] Win32.Downloader (Sogou/Chindo)
Misc activity
ADWARE [PTsecurity] Win32.Downloader (Sogou/Chindo)
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Misc activity
ADWARE [PTsecurity] Win32.Downloader (Sogou/Chindo)
Misc activity
ADWARE [PTsecurity] Win32.Downloader (Sogou/Chindo)
Misc activity
ADWARE [PTsecurity] Win32.Downloader (Sogou/Chindo)
Misc activity
ADWARE [PTsecurity] Win32.Downloader (Sogou/Chindo)
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
yunqishionekey.exe