General Info

File name

setup_FYunZip.exe

Full analysis
https://app.any.run/tasks/e273acf5-59bb-4aad-8d5d-c40498b53b72
Verdict
Malicious activity
Analysis date
7/2/2019, 13:12:04
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

7837f101fd4bbc3dacbeac7717f7f999

SHA1

3b6e5d6faaf9a41b363d6a0559f3ed196d285d95

SHA256

d94f55f0c15d14d1706205a043ef9515c9a11ecfde374a43953bf65a4b689c55

SSDEEP

196608:qmzj6KlMgimOWQ7cJsdYF9htgIpUNoucBC2y/w+KenpByM0A4rn0D0ys48:qBgimOv7cJsdY9KcBC9qrn0D0n48

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (73.0.3683.75)
  • Google Update Helper (1.3.33.23)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • FM.exe (PID: 320)
  • Slctk.exe (PID: 1908)
  • Slctk.exe (PID: 2924)
  • TimeHelp.exe (PID: 1820)
  • Zip.exe (PID: 236)
  • Slctk.exe (PID: 3164)
  • Service.exe (PID: 2732)
  • Kit.exe (PID: 3808)
  • Host.exe (PID: 2624)
  • Slctk.exe (PID: 1940)
Loads dropped or rewritten executable
  • Kit.exe (PID: 3808)
Executable content was dropped or overwritten
  • setup_FYunZip.exe (PID: 1868)
Creates files in the program directory
  • setup_FYunZip.exe (PID: 1868)
Uses TASKKILL.EXE to kill process
  • setup_FYunZip.exe (PID: 1868)
Manual execution by user
  • Zip.exe (PID: 236)
  • Slctk.exe (PID: 3164)
  • Service.exe (PID: 2732)
  • Kit.exe (PID: 3808)
  • Host.exe (PID: 2624)
  • NOTEPAD.EXE (PID: 184)
  • explorer.exe (PID: 3380)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 EXE PECompact compressed (generic) (21.4%)
.exe
|   Win64 Executable (generic) (14.2%)
.exe
|   Win32 Executable (generic) (2.3%)
.exe
|   Generic Win/DOS Executable (1%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2019:06:25 15:46:23+02:00
PEType:
PE32
LinkerVersion:
14
CodeSize:
1577984
InitializedDataSize:
7682048
UninitializedDataSize:
null
EntryPoint:
0x4389d
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
FileVersionNumber:
1.0.8.19625
ProductVersionNumber:
1.0.8.19625
FileFlagsMask:
0x0017
FileFlags:
(none)
FileOS:
Win32
ObjectFileType:
Executable application
FileSubtype:
null
LanguageCode:
Chinese (Simplified)
CharacterSet:
Unicode
CompanyName:
浙江自贸区耀光网络科技有限公司
FileDescription:
风云压缩
FileVersion:
1.0.8.19625
InternalName:
风云压缩
LegalCopyright:
Copyright (C) 2019
OriginalFileName:
Install.exe
ProductName:
风云压缩
ProductVersion:
1,0,8,19625
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
25-Jun-2019 13:46:23
Detected languages
Chinese - PRC
English - United States
Debug artifacts
E:\svn\YaSuo\ChengXu\Tags\fytag_1.0.8.19625\Bundles\FYunZip\Temp\Release\Install.pdb
CompanyName:
浙江自贸区耀光网络科技有限公司
FileDescription:
风云压缩
FileVersion:
1.0.8.19625
InternalName:
风云压缩
LegalCopyright:
Copyright (C) 2019
OriginalFilename:
Install.exe
ProductName:
风云压缩
ProductVersion:
1,0,8,19625
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000138
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
7
Time date stamp:
25-Jun-2019 13:46:23
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00181223 0x00181400 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.63791
.rdata 0x00183000 0x00068AC4 0x00068C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.65602
.data 0x001EC000 0x000124CC 0x0000B400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.22463
.gfids 0x001FF000 0x000001B4 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 3.50573
.tls 0x00200000 0x00000009 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0.0203931
.rsrc 0x00201000 0x006CA960 0x006CAA00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 7.9707
.reloc 0x008CC000 0x000148D4 0x00014A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 6.57546
Resources
1

2

3

4

5

6

7

8

101

SKINDATA

7ZDATA

Imports
    KERNEL32.dll

    USER32.dll

    ADVAPI32.dll

    SHELL32.dll

    ole32.dll

    OLEAUT32.dll

    SHLWAPI.dll

    PSAPI.DLL

    CRYPT32.dll

    COMCTL32.dll

    urlmon.dll

    IPHLPAPI.DLL

    GDI32.dll

    gdiplus.dll

    IMM32.dll

    USERENV.dll

    VERSION.dll

    WININET.dll

    WS2_32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
65
Monitored processes
19
Malicious processes
5
Suspicious processes
1

Behavior graph

+
drop and start start setup_fyunzip.exe no specs setup_fyunzip.exe taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs taskkill.exe no specs explorer.exe no specs slctk.exe notepad.exe no specs host.exe no specs kit.exe no specs service.exe no specs slctk.exe no specs zip.exe no specs timehelp.exe no specs slctk.exe no specs slctk.exe no specs fm.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2296
CMD
"C:\Users\admin\AppData\Local\Temp\setup_FYunZip.exe"
Path
C:\Users\admin\AppData\Local\Temp\setup_FYunZip.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
浙江自贸区耀光网络科技有限公司
Description
风云压缩
Version
1.0.8.19625
Modules
Image
c:\systemroot\system32\ntdll.dll
c:\users\admin\appdata\local\temp\setup_fyunzip.exe

PID
1868
CMD
"C:\Users\admin\AppData\Local\Temp\setup_FYunZip.exe"
Path
C:\Users\admin\AppData\Local\Temp\setup_FYunZip.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
浙江自贸区耀光网络科技有限公司
Description
风云压缩
Version
1.0.8.19625
Modules
Image
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\users\admin\appdata\local\temp\setup_fyunzip.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\psapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\imm32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\imageres.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\msctf.dll
c:\windows\system32\profapi.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\riched20.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\wintrust.dll
c:\program files\fyunzip\slctk.exe

PID
2980
CMD
taskkill /f /im Config.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
setup_FYunZip.exe
User
admin
Integrity Level
HIGH
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2276
CMD
taskkill /f /im Service.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
setup_FYunZip.exe
User
admin
Integrity Level
HIGH
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2400
CMD
taskkill /f /im Kit.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
setup_FYunZip.exe
User
admin
Integrity Level
HIGH
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
1716
CMD
taskkill /f /im Slctk.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
setup_FYunZip.exe
User
admin
Integrity Level
HIGH
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
2312
CMD
taskkill /f /im Uninst.exe
Path
C:\Windows\system32\taskkill.exe
Indicators
No indicators
Parent process
setup_FYunZip.exe
User
admin
Integrity Level
HIGH
Exit code
128
Version:
Company
Microsoft Corporation
Description
Terminates Processes
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\mpr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\winsta.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3380
CMD
"C:\Windows\explorer.exe"
Path
C:\Windows\explorer.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Explorer
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\explorer.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\imm32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\actxprxy.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\powrprof.dll

PID
1940
CMD
"C:\Program Files\FYunZip\Slctk.exe" SpdOp --NewQID fyunzip****** --Silent false
Path
C:\Program Files\FYunZip\Slctk.exe
Indicators
Parent process
setup_FYunZip.exe
User
admin
Integrity Level
HIGH
Version:
Company
浙江自贸区耀光网络科技有限公司
Description
风云压缩
Version
1.0.8.19625
Modules
Image
c:\windows\system32\psapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\program files\fyunzip\slctk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\profapi.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll

PID
184
CMD
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\FYunZip\FYunZip.ini
Path
C:\Windows\system32\NOTEPAD.EXE
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Notepad
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winspool.drv
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\clbcatq.dll

PID
2624
CMD
"C:\Program Files\FYunZip\Host.exe"
Path
C:\Program Files\FYunZip\Host.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
1.0.8.19625
Modules
Image
c:\program files\fyunzip\host.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll

PID
3808
CMD
"C:\Program Files\FYunZip\Kit.exe"
Path
C:\Program Files\FYunZip\Kit.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
浙江自贸区耀光网络科技有限公司
Description
风云压缩
Version
1.0.8.19625
Modules
Image
c:\program files\fyunzip\kit.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\version.dll
c:\windows\system32\psapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\riched20.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\clbcatq.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\uxtheme.dll
c:\program files\fyunzip\core.dll

PID
2732
CMD
"C:\Program Files\FYunZip\Service.exe"
Path
C:\Program Files\FYunZip\Service.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
浙江自贸区耀光网络科技有限公司
Description
风云压缩
Version
1.0.8.19625
Modules
Image
c:\program files\fyunzip\service.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\userenv.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\iertutil.dll

PID
3164
CMD
"C:\Program Files\FYunZip\Slctk.exe"
Path
C:\Program Files\FYunZip\Slctk.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
浙江自贸区耀光网络科技有限公司
Description
风云压缩
Version
1.0.8.19625
Modules
Image
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\kernelbase.dll
c:\program files\fyunzip\slctk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\lpk.dll
c:\windows\system32\sechost.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\version.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\ole32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msasn1.dll

PID
236
CMD
"C:\Program Files\FYunZip\Zip.exe"
Path
C:\Program Files\FYunZip\Zip.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
浙江自贸区耀光网络科技有限公司
Description
风云压缩
Version
1.0.8.19625
Modules
Image
c:\windows\system32\usp10.dll
c:\windows\system32\comdlg32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sechost.dll
c:\program files\fyunzip\zip.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\profapi.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\psapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll

PID
1820
CMD
"C:\Program Files\FYunZip\TimeHelp.exe" f046
Path
C:\Program Files\FYunZip\TimeHelp.exe
Indicators
No indicators
Parent process
Zip.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
浙江自贸区耀光网络科技有限公司
Description
风云压缩
Version
1.0.8.19625
Modules
Image

PID
2924
CMD
"C:\Program Files\FYunZip\Slctk.exe" f017 --RunLx 1
Path
C:\Program Files\FYunZip\Slctk.exe
Indicators
No indicators
Parent process
Zip.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
浙江自贸区耀光网络科技有限公司
Description
风云压缩
Version
1.0.8.19625
Modules
Image

PID
1908
CMD
"C:\Program Files\FYunZip\Slctk.exe" f034 --name 主程序
Path
C:\Program Files\FYunZip\Slctk.exe
Indicators
No indicators
Parent process
Zip.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
浙江自贸区耀光网络科技有限公司
Description
风云压缩
Version
1.0.8.19625
Modules
Image

PID
320
CMD
"C:\Program Files\FYunZip\FM.exe"
Path
C:\Program Files\FYunZip\FM.exe
Indicators
No indicators
Parent process
Zip.exe
User
admin
Integrity Level
MEDIUM
Version:
Company
浙江自贸区耀光网络科技有限公司
Description
风云压缩
Version
1.0.8.19625
Modules
Image

Registry activity

Total events
109
Read events
0
Write events
18
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
1868
setup_FYunZip.exe
write
HKEY_CURRENT_USER\Software\FYunZip\SZConfig
InstallType
0
1868
setup_FYunZip.exe
write
HKEY_CURRENT_USER\Software\FYunZip\PreInstall
InstallParentName
Explorer.EXE
1868
setup_FYunZip.exe
write
HKEY_CURRENT_USER\Software\FYunZip\PreInstall
InstallParentSign
UnKonw
1868
setup_FYunZip.exe
write
HKEY_CURRENT_USER\Software\FYunZip\PreInstall
azms
0
1868
setup_FYunZip.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\FYunZip
InstallPath
C:\Program Files\FYunZip\
1868
setup_FYunZip.exe
write
HKEY_CURRENT_USER\Software\FYunZip\SZConfig
SoftMD5
7837f101fd4bbc3dacbeac7717f7f999
1940
Slctk.exe
write
HKEY_CURRENT_USER\Software\FYunZip\AppInfo
AppPath
C:\Users\admin\AppData\LocalLow\FYunZip\
1940
Slctk.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\FYunZip
ZhXzSj
0
1940
Slctk.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\TXlTb2Z0\U0hTb2Z0\Rll1blppcA==
XzNum
0
1940
Slctk.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\FYunZip
AzPath
C:\Program Files\FYunZip\
1940
Slctk.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\TXlTb2Z0\U0hTb2Z0\Rll1blppcA==
ZhXzSj
0
1940
Slctk.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\FYunZip
XzNum
0
184
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosX
154
184
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosY
154
184
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDX
960
184
NOTEPAD.EXE
write
HKEY_CURRENT_USER\Software\Microsoft\Notepad
iWindowPosDY
501

Files activity

Executable files
19
Suspicious files
1
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Service.exe
executable
MD5: d6a2235fcdb1abf4d2a0956436905f53
SHA256: cac03c31e3a60b0386d9fd57d2a63bb90e19bc60c91223956a391c96794da920
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Ugd.exe
executable
MD5: 8ee7bed427e323684fd8d7fa7f13dbd8
SHA256: 13c5966a3ff29f39f8653b6bd1f61cc6e2d7eeda159b82266e62417a51819490
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\TimeHelp.exe
executable
MD5: b89097cf7cb92a45c4194618c526a5a8
SHA256: 003c1d0978fbab44fc4e6002a75f78c85a94b7c744ab63afcc4744809dc9cd83
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Slctk.exe
executable
MD5: 05305e36d056bdf5bf56d4327129402e
SHA256: 4d64d0ae249da75aebb8439eecaddbe87d2e3166d770fc72c43f93f1b0154bc3
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Reg64.exe
executable
MD5: a77a17c3c32de382df6d76ee4986a917
SHA256: 4d2d73a429f2f48f1fd3241536e6c007c7125f4bee86466aeddb62e35ad65460
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Uninst.exe
executable
MD5: 6fc046588efe77e682dfed21009ea236
SHA256: 792d73d9887954c222b1bb1ee96a95df4b6389f9513edcd4ffde87af382f1dd0
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Kit.exe
executable
MD5: ee34cb8b50f3de999dafa0a332620ce0
SHA256: fd9c3b6123af69ddad216b6648b6f68a15257a9751654104cb2bc2d2891f4bad
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Ext.dll
executable
MD5: 37bffe5b8990c0db6913f8352b83338a
SHA256: fb1fe8df9a84ce1e09a147e370f95b97b85ed6eb1ef748ec34184c3b0a72cf90
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Host.exe
executable
MD5: 84a7f0054f049d960668d792aeb08d45
SHA256: e22eb308441c04cfe0cfcdb38f48c008bbd6e203c879dde558e8d33252ae7c5c
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Host.dll
executable
MD5: e3aaf02739628b37083385bbd70552b1
SHA256: 7cae1fc6c0b43584a6980b1c05bd44faa3475a1dbaa13cbeda1cefc6da192390
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Shell.dll
executable
MD5: 2f76517d6824975dc0baa4cf1b0d403e
SHA256: 164fa022bee08d4a6391b95cf096631650ae2faddf52660ee33e1e3a651a4f29
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Shell64.dll
executable
MD5: a14bf34880cb9f63f42a2af33458ac87
SHA256: 3d00f09d51615ba2a5e36386cbe0d93aa09bf1170ad569c51ea9b59361cb1841
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Oly.dll
executable
MD5: 0c8ed41d8d9df7ede3b827c1691f2d2c
SHA256: 42b303c13d3b26ecdb0bb8dd712777af10f1f516cff15800203a676c2ed46803
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Reg.exe
executable
MD5: dabd2e2647040e21addeb36f12691316
SHA256: d97f39863fe2246689cd9f0fadcfa1b97648a2b0c5e3127b70c404a8f493bf43
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\FM.exe
executable
MD5: 1bb0e499923b708becce06cb79ac3548
SHA256: da2df074ad5385b2b2d7fbb16a910d6e899fc8de3fd1107698e84fa945b265ea
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Oly64.dll
executable
MD5: a7af3557f0a201fa76e0113362add8a5
SHA256: ed2cd9d66f878ede71ca6de7869b20417337ca42194cf9a7d84b54d3049e22c1
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Zip.exe
executable
MD5: b0267d59ee31946f2446aa1603c9d133
SHA256: ef6d7f401b7f6779fe8c7915a63cd69f073e29f619cf36d1a08752647e0dce25
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Core.dll
executable
MD5: 37f18cd60da0952b399cc1b02b6d6147
SHA256: 77a9c922c81cad295654d06aa67d567f772ce9ce22e58e6d0447014e4698d5c8
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Giafe.exe
executable
MD5: 01fae5e25556098769b7cbaa42f31b5e
SHA256: ed5f3fcc098b2875df27af8c1ffded793110b6554c890f051e54b4a87b01b70f
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Lang\zh-cn.txt
text
MD5: f651d44c7edd6a12f09fdfce81f75516
SHA256: 0a4c2424d9349091e8b97fddfabbbd6c633ce4b9e12dee35eb61ff8106b41e37
1940
Slctk.exe
C:\Program Files\FYunZip\FYunZip.ini
text
MD5: 5ec69e8fc7b74decb435d36a9ac9455f
SHA256: 69355055b92f101360cea6cde8bd6c34e5da498dfb9d21ae74f32d916cae0e7e
1868
setup_FYunZip.exe
C:\Users\admin\AppData\Local\Temp\FYunZip-31604-7zData.7z
––
MD5:  ––
SHA256:  ––
1940
Slctk.exe
C:\Program Files\Common Files\FYunZip\FYunZip.ini
text
MD5: 5c42410ce6fa631c6600915d29679765
SHA256: 0b74ea938faa5d853f6f7fd256e9c10ae1dcecaadeedd61250e51e2a4a394f6a
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\FYunZip.ini
text
MD5: 22bb6101c692ab5b3e1d8321eacf6f5b
SHA256: a29e995cb3564bc1e6ad2e0b37977f4f3f9bc56447ddea9688b6c8a75595e95d
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\ZipNew.data
compressed
MD5: 76cdb2bad9582d23c1f6f4d868218d6c
SHA256: 8739c76e681f900923b900c9df0ef75cf421d39cabb54650c4b9ad19b6a76d85
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Lang\an.txt
text
MD5: bf8564b2dad5d2506887f87aee169a0a
SHA256: 0e8dd119dfa6c6c1b3aca993715092cdf1560947871092876d309dbc1940a14a
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Setting\FilterConfig.xml
xml
MD5: 47b7a11df71a074ae38bc52da976401f
SHA256: 5645b2234b8bf80d6568661d49497e1fe3d6f976580f7c8399dbe04469dcdc6e
1868
setup_FYunZip.exe
C:\Program Files\FYunZip\Setting\AlgorithmConfig.xml
xml
MD5: d3517b07cff8652912b5dbd5b10c22ab
SHA256: 2634c31c0ab0717e8a40fa62f9538a57bcb1065f5a65b44bf07f76a2138f7f62
1868
setup_FYunZip.exe
C:\Program Files\Common Files\FYunZip\FYunZip.ini
text
MD5: 6d86f106e05339d95b6d0fbb34ee590f
SHA256: bb2aba1af6dd9e75f6ab3f359d2116ad0a76643323cc62d80e5909e0251fc0cf
1868
setup_FYunZip.exe
C:\Users\admin\AppData\LocalLow\FYunZip\CfgPath\SyHj.src
text
MD5: 50edfd7232c5ed1dc298288a85de0b0d
SHA256: 2ade5c99f5453da1ba3a50a7a7ff768623cb0b36802d94205bcf895e148abef0

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
1868 setup_FYunZip.exe GET –– 112.124.193.155:80 http://sc.yaoguangsoft.cn/tm.php CN
––
––
malicious
1940 Slctk.exe GET –– 112.124.193.155:80 http://sc.yaoguangsoft.cn/tm.php CN
––
––
malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
1868 setup_FYunZip.exe 112.124.193.155:80 Hangzhou Alibaba Advertising Co.,Ltd. CN malicious
1940 Slctk.exe 112.124.193.155:80 Hangzhou Alibaba Advertising Co.,Ltd. CN malicious

DNS requests

Domain IP Reputation
sc.yaoguangsoft.cn 112.124.193.155
malicious

Threats

No threats detected.

Debug output strings

No debug info.