» 王者荣耀电脑版_30@180382.exe
Overview
Analysis
File Details
Downloads (30)
Network (12)

王者荣耀电脑版_30@180382.exe

downer for windows

Riyue Tongxing Information Technology (Beijing) Co., Ltd.

The application 王者荣耀电脑版_30@180382.exe by Riyue Tongxing Information Technology (Beijing) Co. has been detected as a potentially unwanted program by 1 anti-malware scanner with very strong indications that the file is a potential threat. This is a setup program which is used to install the application. The file has been seen being downloaded from dlc2.pconline.com.cn and multiple other hosts. While running, it connects to the Internet address 170.27.143.122.adsl-pool.jlccptt.net.cn on port 80 using the HTTP protocol.

File name:

Publisher:

Riyue Tongxing Information Technology (Beijing) Co.,Ltd. (signed by Riyue Tongxing Information Technology (Beijing) Co., Ltd.)

Product:

downer for windows

Version:

1.3.1.14

MD5:

928f6f6c5fbb9a28ac50658c42c7c577

SHA-1:

2d0e3c1b97e65d65596aa49078cf0ba7889ac0e3

SHA-256:

5b5bdae7a63b6b7816f25cdac671588862224452217d195bb87c303bef0f8d52

Scanner detections:

1 / 68

Status:

Potentially unwanted

Analysis date:

4/24/2025 3:44:24 PM UTC (today)

Scan engine

Detection

Engine version

Reason Heuristics

PUP.Gaofenquming

17.1.19.2

File size:

1016.6 KB (1,040,992 bytes)

Product version:

1.3.1.14

Riyue Tongxing Information Technology (Beijing) Co.,Ltd.

Original file name:

downer

File type:

Executable application (Win32 EXE)

Digital Signature

Signed by:

Riyue Tongxing Information Technology (Beijing) Co., Ltd.

Authority:

WoSign CA Limited

Valid from:

10/21/2016 3:12:47 PM

Valid to:

12/21/2019 3:12:47 PM

Subject:

CN="Riyue Tongxing Information Technology (Beijing) Co., Ltd.", O="Riyue Tongxing Information Technology (Beijing) Co., Ltd.", L=Beijing, S=Beijing, C=CN

Issuer:

CN=WoSign Class 3 Code Signing CA, O=WoSign CA Limited, C=CN

Serial number:

2A4FBEAA878B6FDC656FFBD4922BB04A

File PE Metadata

Compilation timestamp:

1/16/2017 11:32:35 AM

OS version:

5.0

OS bitness:

Win32

Subsystem:

Windows GUI

Linker version:

2.25

Entry address:

0x258D70

Entry point:

60, BE, 00, 80, 56, 00, 8D, BE, 00, 90, E9, FF, C7, 87, F8, 29, 18, 00, 43, 2B, 2C, 76, 57, 83, CD, FF, EB, 0E, 90, 90, 90, 90, 8A, 06, 46, 88, 07, 47, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 72, ED, B8, 01, 00, 00, 00, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C0, 01, DB, 73, EF, 75, 09, 8B, 1E, 83, EE, FC, 11, DB, 73, E4, 31, C9, 83, E8, 03, 72, 0D, C1, E0, 08, 8A, 06, 46, 83, F0, FF, 74, 74, 89, C5, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB, 11, C9, 01, DB, 75, 07, 8B, 1E, 83, EE, FC, 11, DB... 
[+]

Entropy:

7.8690

Packer / compiler:

UPX v0.89.6 - v1.02 / v1.05 -v1.22 (Delphi) stub

Code size:

964 KB (987,136 bytes)

The file 王者荣耀电脑版_30@180382.exe has been seen being distributed by the following 30 URLs.

http://dlc2.pconline.com.cn/filedown3_6256_17026220/.../office2016_wps_5100000062567026220.exe

http://dl.ssouy.com/.../MotioninJoy_48@129609.exe

http://dl.zasuv.com/.../??:???????????_51@369139.exe

http://dl.ssouy.com/.../??K?_48@31681.exe

http://ftp.pconline.com.cn/69b675659749bdcebe57bd44861b19c4/pub/download/201010/maldner/.../quicktimeinstaller_2200000014857023230.exe

http://ftp.pconline.com.cn/fc86fe25738357576e2b44fa26c83f35/pub/download/201010/maldner/.../SkypeSetupFull_2200000092777950746.exe

http://dl.zasuv.com/.../??????????_51@290042.exe

https://dl.cjsdxz.com/.../AC3 Filter_1@86309.exe

http://cl.ssouy.com/.../????????_30@48779.exe

http://dl.ssouy.com/.../Navicat_48@51737.exe

https://dl.cjsdxz.com/.../Registry Trash Keys Finder_1@63866.exe

http://dl.ssouy.com/.../?????_30@363547.exe

http://dl.ssouy.com/.../QuickPlay_48@65628.exe

http://dl.pconline.com.cn/intf/.../downLoadTool2.jsp?masterId=51240&ipType=1&riYueToken=GqbINs6Y

https://cl2.cjsdxz.com/.../Curse Client_1@176659.exe

http://dlc2.pconline.com.cn/filedown3_10989_17124603/.../uTorrent_5100000109897124603.exe

http://dl.ssouy.com/.../??????_30@17982.exe

http://dl.ssouy.com/.../Redis???GUI??Redis_30@116150.exe

http://dl.ssouy.com/.../KMPlayer???_30@6689.exe

https://cl2.cjsdxz.com/.../KMPlayer_1@38003.exe

http://dl.ssouy.com/.../?????5?????_30@9160.exe

http://cl.ssouy.com/.../ce???_30@62186.exe

https://dl.cjsdxz.com/.../iTunes_1@8651.exe

http://dl.ssouy.com/.../???????_30@33119.exe

http://dl.ssouy.com/.../Win_48@54521.exe

http://dl.wokxn.com/.../??_21@285979.exe

https://dl.cjsdxz.com/.../KMPlayer_1@38003.exe

http://dl.ssouy.com/.../????Sndvol32.exe_30@40044.exe

http://ftp.pconline.com.cn/97c31fa9b9f629859ac4dec4282b5036/pub/download/201010/maldner/.../KMPlayer_4.1.5.8_2200000103447872504.exe

http://cl.wokxn.com/.../QQ??_21@285874.exe

Latest 30 of 30 download URLs

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):

Connects to hn.kd.smx.adsl (221.13.203.121:80)

TCP (HTTP):

Connects to a23-50-91-27.deploy.static.akamaitechnologies.com (23.50.91.27:80)

TCP (HTTP):

Connects to 180.226.204.221.adsl-pool.sx.cn (221.204.226.180:80)

TCP (HTTP):

Connects to 95.138.1.103.unknown.m1.com.sg (103.1.138.95:80)

TCP (HTTP SSL):

Connects to reserve.cableplus.com.cn (211.144.71.49:443)

TCP (HTTP):

Connects to promote.cache-dns.local (223.111.18.216:80)

TCP (HTTP):

Connects to hn.kd.ny.adsl (42.236.10.4:80)

TCP (HTTP):

Connects to dns183.online.tj.cn (111.161.3.183:80)

TCP (HTTP):

Connects to cncln.online.ln.cn (218.60.119.231:80)

TCP (HTTP):

Connects to 241.27.143.122.adsl-pool.jlccptt.net.cn (122.143.27.241:80)

TCP (HTTP):

Connects to 170.27.143.122.adsl-pool.jlccptt.net.cn (122.143.27.170:80)

TCP (HTTP):

Connects to 140.226.204.221.adsl-pool.sx.cn (221.204.226.140:80)

Remove 王者荣耀电脑版_30@180382.exe - Powered by Reason Core Security

herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.