Malware analysis Baidu.PC.Faster.5.1.3.131061.exe Malicious activity

Add for printing

download:	Baidu.PC.Faster.5.1.3.131061.exe
Full analysis:	https://app.any.run/tasks/20a29861-4e02-4532-bcd0-eb437007d816
Verdict:	Malicious activity
Analysis date:	March 30, 2020, 13:23:32
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
MD5:	D0C21E2B06B73AC06E91F01535906F8F
SHA1:	77212D51A20535F5F4622EB55E716EB4AE04ABD3
SHA256:	FB434673F0B546ABB8E3A6E81D6C8916A4B8D2DCAA6AF9DFA166C684C8E7675E
SSDEEP:	786432:/Tt+Na5oHC/4lv3q+NFH+rQzwSRXelvUSYE3Dv:KSB/4lS+N3USRulvUeDv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.17843 KB3058515
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Hyphenation Parent Package English
IE Spelling Parent Package English
IE Troubleshooters Package
InternetExplorer Optional Package
InternetExplorer Package TopLevel
KB2533623
KB2534111
KB2639308
KB2729094
KB2731771
KB2786081
KB2834140
KB2882822
KB2888049
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
PlatformUpdate Win7 SRV08R2 Package TopLevel
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3376)
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 2480)
  - PC_Faster_Setup_Mini.exe (PID: 3556)
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3032)
  - PCF4CFA.exe (PID: 2056)
  - PCFHelper.exe (PID: 2072)
  - PCFasterSvc.exe (PID: 2868)
  - PCFasterSvc.exe (PID: 1876)
  - LogReporter.exe (PID: 3148)
  - PCFTray.exe (PID: 2456)
  - LogReporter.exe (PID: 2936)
  - LogReporter.exe (PID: 3584)
  - Updater.exe (PID: 1520)
  - Updater.exe (PID: 3984)
  - Updater.exe (PID: 3420)
  - LogReporter.exe (PID: 3960)
  - Updater.exe (PID: 1836)
  - ReportCommRetryPCF.exe (PID: 1840)
  - PCFHelper.exe (PID: 3132)
  - PCFTray.exe (PID: 180)
  - FasterNow.exe (PID: 4008)
  - PCFaster.exe (PID: 2428)
  - CleanerEngineSvc.exe (PID: 552)
  - liveupdate.exe (PID: 2140)
  - SysOptEngineSvc.exe (PID: 3820)
  - PCFPopups.exe (PID: 572)
  - PCFaster.exe (PID: 1348)
  - PCFTray.exe (PID: 3076)
  - FasterNow.exe (PID: 2080)
- Loads dropped or rewritten executable
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3376)
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3032)
  - PCFHelper.exe (PID: 2072)
  - PCFasterSvc.exe (PID: 2868)
  - PCFasterSvc.exe (PID: 1876)
  - LogReporter.exe (PID: 3148)
  - LogReporter.exe (PID: 3584)
  - Updater.exe (PID: 3984)
  - LogReporter.exe (PID: 2936)
  - Updater.exe (PID: 1520)
  - Updater.exe (PID: 3420)
  - LogReporter.exe (PID: 3960)
  - regsvr32.exe (PID: 3912)
  - regsvr32.exe (PID: 2916)
  - PCFTray.exe (PID: 2456)
  - ReportCommRetryPCF.exe (PID: 1840)
  - Updater.exe (PID: 1836)
  - PCFHelper.exe (PID: 3132)
  - PCFTray.exe (PID: 180)
  - PCFaster.exe (PID: 2428)
  - FasterNow.exe (PID: 4008)
  - CleanerEngineSvc.exe (PID: 552)
  - SysOptEngineSvc.exe (PID: 3820)
  - PCFPopups.exe (PID: 572)
  - PCFTray.exe (PID: 3076)
  - PCFaster.exe (PID: 1348)
  - FasterNow.exe (PID: 2080)
  - liveupdate.exe (PID: 2140)
- Uses Task Scheduler to run other applications
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3032)
- Loads the Task Scheduler COM API
  - schtasks.exe (PID: 2296)
  - schtasks.exe (PID: 3204)
  - schtasks.exe (PID: 676)
  - schtasks.exe (PID: 2504)
  - schtasks.exe (PID: 3524)
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3032)
  - schtasks.exe (PID: 1492)
  - schtasks.exe (PID: 3960)
  - schtasks.exe (PID: 2060)
  - PCFHelper.exe (PID: 3132)
  - SysOptEngineSvc.exe (PID: 3820)
- Registers / Runs the DLL via REGSVR32.EXE
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3032)
- Changes the autorun value in the registry
  - PCFasterSvc.exe (PID: 2868)
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3032)
- Actions looks like stealing of personal data
  - CleanerEngineSvc.exe (PID: 552)
- Changes Windows Error Reporting flag
  - SysOptEngineSvc.exe (PID: 3820)
SUSPICIOUS
- Executable content was dropped or overwritten
  - PC_Faster_Setup_Mini.exe (PID: 3556)
  - Baidu.PC.Faster.5.1.3.131061.exe (PID: 3240)
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3376)
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3032)
  - PCFasterSvc.exe (PID: 1876)
  - PCFasterSvc.exe (PID: 2868)
- Low-level read access rights to disk partition
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3376)
  - PCF4CFA.exe (PID: 2056)
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3032)
  - PCFasterSvc.exe (PID: 2868)
  - PCFasterSvc.exe (PID: 1876)
  - LogReporter.exe (PID: 3148)
  - PCFHelper.exe (PID: 2072)
  - Updater.exe (PID: 1520)
  - Updater.exe (PID: 3420)
  - PCFTray.exe (PID: 180)
  - PCFHelper.exe (PID: 3132)
  - FasterNow.exe (PID: 4008)
  - PCFaster.exe (PID: 2428)
  - CleanerEngineSvc.exe (PID: 552)
  - SysOptEngineSvc.exe (PID: 3820)
  - PCFPopups.exe (PID: 572)
  - liveupdate.exe (PID: 2140)
  - PCFaster.exe (PID: 1348)
- Reads internet explorer settings
  - Baidu.PC.Faster.5.1.3.131061.exe (PID: 3240)
- Creates files in the program directory
  - PCF4CFA.exe (PID: 2056)
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3032)
  - PCFasterSvc.exe (PID: 2868)
  - Updater.exe (PID: 3420)
  - FasterNow.exe (PID: 4008)
  - SysOptEngineSvc.exe (PID: 3820)
  - PCFHelper.exe (PID: 3132)
  - WinRAR.exe (PID: 2648)
  - FasterNow.exe (PID: 2080)
  - liveupdate.exe (PID: 2140)
  - ReportCommRetryPCF.exe (PID: 1840)
- Starts SC.EXE for service management
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3032)
- Creates COM task schedule object
  - regsvr32.exe (PID: 2916)
- Creates a software uninstall entry
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3032)
  - CScript.exe (PID: 2604)
  - PCFHelper.exe (PID: 3132)
- Executed as Windows Service
  - PCFasterSvc.exe (PID: 2868)
- Application launched itself
  - PCFasterSvc.exe (PID: 2868)
  - WinRAR.exe (PID: 4060)
- Creates or modifies windows services
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3032)
  - PCFasterSvc.exe (PID: 1876)
- Creates files in the user directory
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3032)
  - FasterNow.exe (PID: 2080)
  - CleanerEngineSvc.exe (PID: 552)
- Reads the cookies of Google Chrome
  - LogReporter.exe (PID: 3584)
- Reads the cookies of Mozilla Firefox
  - LogReporter.exe (PID: 3584)
- Executed via Task Scheduler
  - CScript.exe (PID: 2604)
- Creates files in the Windows directory
  - PCFasterSvc.exe (PID: 1876)
  - PCFHelper.exe (PID: 3132)
- Creates files in the driver directory
  - PCFasterSvc.exe (PID: 1876)
- Writes to a desktop.ini file (may be used to cloak folders)
  - PCFHelper.exe (PID: 3132)
- Searches for installed software
  - FasterNow.exe (PID: 4008)
- Starts itself from another location
  - PCFasterSvc.exe (PID: 2868)
INFO
- Manual execution by user
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 2480)
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3376)
  - WinRAR.exe (PID: 4060)
  - WinRAR.exe (PID: 312)
  - PCFTray.exe (PID: 3076)
- Dropped object may contain Bitcoin addresses
  - Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe (PID: 3032)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:02:17 15:55:21+01:00
PEType:	PE32
LinkerVersion:	9
CodeSize:	73216
InitializedDataSize:	36352
UninitializedDataSize:	-
EntryPoint:	0xb583
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
CompanyName:	(c) Soft98.iR
FileDescription:	By SalaR
FileVersion:	1.0.0.0
InternalName:	Default App
LegalCopyright:	(c) by Soft98.iR
LegalTrademarks:	-
OriginalFileName:	default.exe
ProductName:	DefaultApp
ProductVersion:	1.0.0.0
Author:	SalaR

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	17-Feb-2012 14:55:21
Detected languages:	English - United States Process Default Language
Debug artifacts:	d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
CompanyName:	(c) Soft98.iR
FileDescription:	By SalaR
FileVersion:	1.0.0.0
InternalName:	Default App
LegalCopyright:	(c) by Soft98.iR
LegalTrademarks:	-
OriginalFilename:	default.exe
ProductName:	DefaultApp
ProductVersion:	1.0.0.0
Author:	SalaR

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x000000E0

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	5
Time date stamp:	17-Feb-2012 14:55:21
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_RELOCS_STRIPPED

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x00011C32	0x00011E00	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.5555
.rdata	0x00013000	0x00001C35	0x00001E00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.87733
.data	0x00015000	0x000156FC	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	3.55293
.CRT	0x0002B000	0x00000010	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	0.219439
.rsrc	0x0002C000	0x00006A20	0x00006C00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.4003

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.20816	1464	Latin 1 / Western European	English - United States	RT_MANIFEST
2	4.86206	4264	Latin 1 / Western European	Process Default Language	RT_ICON
3	5.344	2440	Latin 1 / Western European	Process Default Language	RT_ICON
4	5.16808	1128	Latin 1 / Western European	Process Default Language	RT_ICON
7	3.24143	556	Latin 1 / Western European	English - United States	RT_STRING
8	3.26996	974	Latin 1 / Western European	English - United States	RT_STRING
9	3.04375	530	Latin 1 / Western European	English - United States	RT_STRING
10	3.16254	776	Latin 1 / Western European	English - United States	RT_STRING
11	3.06352	380	Latin 1 / Western European	English - United States	RT_STRING
12	2.33959	102	Latin 1 / Western European	English - United States	RT_STRING

Imports


ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
ole32.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

122

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

180

"C:\Program Files\PC Faster\5.1.0.0\PCFTray.exe"

C:\Program Files\PC Faster\5.1.0.0\PCFTray.exe

—

PCFasterSvc.exe

User:

admin

Company:

Baidu, Inc.

Integrity Level:

HIGH

Description:

PC Faster Tray

Exit code:

Version:

5,1,3,131061

Modules

Images
c:\program files\pc faster\5.1.0.0\pcftray.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\pc faster\5.1.0.0\directui.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

312

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Baidu.PC.Faster.5.1.3.131061\Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe"

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Exit code:

Version:

5.60.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll

552

"C:\Program Files\PC Faster\5.1.0.0\CleanerEngineSvc.exe" -l CleanerEngine

C:\Program Files\PC Faster\5.1.0.0\CleanerEngineSvc.exe

PCFasterSvc.exe

User:

SYSTEM

Company:

Baidu, Inc.

Integrity Level:

SYSTEM

Description:

Baidu PC Faster Service

Exit code:

Version:

5,1,3,131061

Modules

Images
c:\program files\pc faster\5.1.0.0\cleanerenginesvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\pc faster\5.1.0.0\datareport.dll
c:\program files\pc faster\5.1.0.0\log2.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

572

"C:\Windows\system32\sc.exe" delete SystemUpSvc_{PCFaster_5.1.0.0}

C:\Windows\system32\sc.exe

—

Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

A tool to aid in developing services for WindowsNT

Exit code:

1060

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

572

"C:\Program Files\PC Faster\5.1.0.0\PCFPopups.exe" -config

C:\Program Files\PC Faster\5.1.0.0\PCFPopups.exe

PCFTray.exe

User:

admin

Company:

Baidu, Inc.

Integrity Level:

HIGH

Description:

PC Faster Popups

Exit code:

Version:

5,1,3,128373

Modules

Images
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\sc.exe
c:\program files\pc faster\5.1.0.0\pcfpopups.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\program files\pc faster\5.1.0.0\directui.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll

676

"C:\Windows\system32\schtasks.exe" /DELETE /F /TN "Baidu PC Faster Service"

C:\Windows\system32\schtasks.exe

—

Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

1348

"C:\Program Files\PC Faster\5.1.0.0\PCFaster.exe" -shortcut

C:\Program Files\PC Faster\5.1.0.0\PCFaster.exe

—

PCFTray.exe

User:

admin

Company:

Baidu, Inc.

Integrity Level:

HIGH

Description:

PC Faster

Exit code:

Version:

5,1,3,126471

Modules

Images
c:\program files\pc faster\5.1.0.0\pcfaster.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\pc faster\5.1.0.0\directui.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

1492

"C:\Windows\system32\schtasks.exe" /DELETE /F /TN "Baidu PC Faster Service"

C:\Windows\system32\schtasks.exe

—

Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

1520

"C:\Program Files\PC Faster\5.1.0.0\Updater.exe" -InService -no_ui -send_uu_msg

C:\Program Files\PC Faster\5.1.0.0\Updater.exe

—

PCFasterSvc.exe

User:

SYSTEM

Company:

Baidu, Inc.

Integrity Level:

SYSTEM

Description:

Baidu PC Faster Updater

Exit code:

Version:

5,1,3,126471

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msctf.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\conhost.exe
c:\program files\pc faster\5.1.0.0\updater.exe
c:\systemroot\system32\ntdll.dll

1836

"C:\Program Files\PC Faster\5.1.0.0\Updater.exe" -no_ui

C:\Program Files\PC Faster\5.1.0.0\Updater.exe

—

PCFasterSvc.exe

User:

admin

Company:

Baidu, Inc.

Integrity Level:

HIGH

Description:

Baidu PC Faster Updater

Exit code:

Version:

5,1,3,126471

Modules

Images
c:\windows\system32\wininet.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\api-ms-win-downlevel-ole32-l1-1-0.dll
c:\windows\system32\oleaut32.dll
c:\users\admin\desktop\baidu.pc.faster.5.1.3.131061\baidu.pc.faster.5.1.3.131061_soft98.ir.exe
c:\windows\system32\version.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\bcryptprimitives.dll

Add for printing

Total events

2 403

Read events

2 225

Write events

168

Delete events

Modification events


(PID) Process:	(3240) Baidu.PC.Faster.5.1.3.131061.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(3240) Baidu.PC.Faster.5.1.3.131061.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(3240) Baidu.PC.Faster.5.1.3.131061.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(3240) Baidu.PC.Faster.5.1.3.131061.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(3240) Baidu.PC.Faster.5.1.3.131061.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(3376) Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe	Key:	HKEY_CURRENT_USER\Software\Baidu Security\PC Faster
Operation:	write	Name:	pcfaster-guid
Value: 4e83ce1b-8b2f-4442-aaa0-f6d1adedc098
(PID) Process:	(2056) PCF4CFA.exe	Key:	HKEY_CURRENT_USER\Software\Baidu Security\PC Faster
Operation:	write	Name:	pcfaster-id
Value: S-1-5-21-1302019708-1500728564-335382590-1000#5254004A04AF
(PID) Process:	(2056) PCF4CFA.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Baidu_Drp_pos\DRP\Processing
Operation:	write	Name:	C:\ProgramData\Baidu Security\RpData\rpFile-PCF4CFA-2020-03-30 03-26-25-0969-[17362].dat
Value: http://sync.pcfaster.baidu.com.eg/cgi-bin-py/mini_install_statistic_info.cgi
(PID) Process:	(2056) PCF4CFA.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Baidu_Drp_pos\DRP\Processing
Operation:	write	Name:	C:\ProgramData\Baidu Security\RpData\rpFile-PCF4CFA-2020-03-30 03-26-26-0063-[17365].dat
Value: http://sync.pcfaster.baidu.com.eg/cgi-bin-py/mini_install_statistic_info.cgi
(PID) Process:	(3376) Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:	write	Name:	PendingFileRenameOperations
Value: \??\C:\Users\admin\AppData\Local\Temp\nsm4ABA.tmp\BHips.dll

Add for printing

Executable files

111

Suspicious files

138

Text files

955

Unknown types

Dropped files

PID	Process	Filename		Type
3376	Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe	C:\Users\admin\AppData\Local\Temp\nsh4A9A.tmp		—
		MD5:—	SHA256:—
3376	Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe	C:\Users\Public\Documents\Baidu\Common\I18N\conf.db		text
		MD5:—	SHA256:—
3240	Baidu.PC.Faster.5.1.3.131061.exe	C:\Users\admin\Desktop\Baidu.PC.Faster.5.1.3.131061\Soft98.iR.url		text
		MD5:3DDF222B0633A83ECD9F4DD34F1D3FD3	SHA256:CD49C8C8A991A045E07E301C17735760A6C0C4EF533882C48A7F1D9AF6FC8582
2056	PCF4CFA.exe	C:\Users\admin\AppData\Local\Temp\pcf4E23.tmp		—
		MD5:—	SHA256:—
2056	PCF4CFA.exe	C:\ProgramData\Baidu Security\RpData\rpFile-PCF4CFA-2020-03-30 03-26-25-0969-[17362].tmp		—
		MD5:—	SHA256:—
3376	Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe	C:\Users\admin\AppData\Local\Temp\nsm4ABA.tmp\System.dll		executable
		MD5:959EA64598B9A3E494C00E8FA793BE7E	SHA256:03CD57AB00236C753E7DDEEE8EE1C10839ACE7C426769982365531042E1F6F8B
2056	PCF4CFA.exe	C:\ProgramData\Baidu Security\RpData\rpFile-PCF4CFA-2020-03-30 03-26-26-0063-[17365].tmp		—
		MD5:—	SHA256:—
3376	Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe	C:\Users\admin\AppData\Local\Temp\nsm4ABA.tmp\InstallCheck.dll		executable
		MD5:0113B5401128D49B6B0DF587A389EB1E	SHA256:32252B067353F187BCBBF59F3A13936C34CB3A390DC1A5F5D0774E17B11C4A32
3376	Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe	C:\Users\admin\AppData\Local\Temp\nsm4ABA.tmp\NewFeatures.txt		text
		MD5:364821C6D3099EA189408EFBD480708C	SHA256:E6B31E606248A4BAF22CA4621BEDA7517822ACCC9D5D29B1CCA98FD78D63EECE
3240	Baidu.PC.Faster.5.1.3.131061.exe	C:\Users\admin\Desktop\Baidu.PC.Faster.5.1.3.131061\Baidu.PC.Faster.5.1.3.131061_Soft98.iR.exe		executable
		MD5:BC4BD700EB90AF556BEA36A621309B93	SHA256:0A734E7A121E820A06492320C95F48F27E583AB8D023811834B8EB38847110F2

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
572	PCFPopups.exe	GET	—	103.235.46.69:80	http://www.pcfaster.com/cgi/files/get.php?t=rocket&channel=web%257Cgl%257Cofficial%257Cdirect&uid=e6c5f99bff76ee6a2a12018b828851e7&version=5.1.3.131061	HK	—	—	suspicious
2072	PCFHelper.exe	GET	—	103.235.46.69:80	http://pcfaster.baidu.com.eg/cgi/ip/getCode.php	HK	—	—	whitelisted
572	PCFPopups.exe	GET	—	103.235.46.69:80	http://www.pcfaster.com/cgi/files/get.php?t=recommend&channel=web%257Cgl%257Cofficial%257Cdirect&uid=e6c5f99bff76ee6a2a12018b828851e7&version=5.1.3.131061	HK	—	—	suspicious
572	PCFPopups.exe	GET	—	103.235.46.69:80	http://www.pcfaster.com/cgi/files/get.php?t=bootweb&channel=web%257Cgl%257Cofficial%257Cdirect&uid=e6c5f99bff76ee6a2a12018b828851e7&version=5.1.3.131061	HK	—	—	suspicious
572	PCFPopups.exe	GET	—	103.235.46.69:80	http://www.pcfaster.com/cgi/files/get.php?t=worldcup&channel=web%257Cgl%257Cofficial%257Cdirect&uid=e6c5f99bff76ee6a2a12018b828851e7&version=5.1.3.131061	HK	—	—	suspicious
572	PCFPopups.exe	GET	—	103.235.46.69:80	http://www.pcfaster.com/cgi/files/get.php?t=layerhome&channel=web%257Cgl%257Cofficial%257Cdirect&uid=e6c5f99bff76ee6a2a12018b828851e7&version=5.1.3.131061	HK	—	—	suspicious
2868	PCFasterSvc.exe	POST	—	103.235.46.12:80	http://up.eg.bav.baidu.com/up.cgi	HK	—	—	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2072	PCFHelper.exe	103.235.46.69:80	pcfaster.baidu.com.eg	Beijing Baidu Netcom Science and Technology Co., Ltd.	HK	suspicious
572	PCFPopups.exe	103.235.46.69:80	pcfaster.baidu.com.eg	Beijing Baidu Netcom Science and Technology Co., Ltd.	HK	suspicious
2868	PCFasterSvc.exe	103.235.46.12:80	up.eg.bav.baidu.com	Beijing Baidu Netcom Science and Technology Co., Ltd.	HK	suspicious

DNS requests

Domain	IP	Reputation
sync.pcfaster.baidu.com.eg	—	unknown
pcfaster.baidu.com.eg	103.235.46.69	whitelisted
sync.security.baidu.co.th	—	unknown
update.pcfaster.baidu.com.eg	—	unknown
sync.bav.baidu.com	—	whitelisted
www.pcfaster.com	103.235.46.69	suspicious
csu.pcfaster.baidu.com.eg	—	unknown
up.eg.bav.baidu.com	103.235.46.12	suspicious

Threats

No threats detected

Add for printing

No debug info

General Info

Baidu.PC.Faster.5.1.3.131061.exe

D0C21E2B06B73AC06E91F01535906F8F

77212D51A20535F5F4622EB55E716EB4AE04ABD3

FB434673F0B546ABB8E3A6E81D6C8916A4B8D2DCAA6AF9DFA166C684C8E7675E

786432:/Tt+Na5oHC/4lv3q+NFH+rQzwSRXelvUSYE3Dv:KSB/4lS+N3USRulvUeDv

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Uses Task Scheduler to run other applications

Loads the Task Scheduler COM API

Registers / Runs the DLL via REGSVR32.EXE

Changes the autorun value in the registry

Actions looks like stealing of personal data

Changes Windows Error Reporting flag

SUSPICIOUS

Executable content was dropped or overwritten

Low-level read access rights to disk partition

Reads internet explorer settings

Creates files in the program directory

Starts SC.EXE for service management

Creates COM task schedule object

Creates a software uninstall entry

Executed as Windows Service

Application launched itself

Creates or modifies windows services

Creates files in the user directory

Reads the cookies of Google Chrome

Reads the cookies of Mozilla Firefox

Executed via Task Scheduler

Creates files in the Windows directory

Creates files in the driver directory

Writes to a desktop.ini file (may be used to cloak folders)

Searches for installed software

Starts itself from another location

INFO

Manual execution by user

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity