File name: | setup_FYunZip.exe |
Full analysis: | https://app.any.run/tasks/e273acf5-59bb-4aad-8d5d-c40498b53b72 |
Verdict: | Malicious activity |
Analysis date: | July 02, 2019, 13:12:04 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 7837F101FD4BBC3DACBEAC7717F7F999 |
SHA1: | 3B6E5D6FAAF9A41B363D6A0559F3ED196D285D95 |
SHA256: | D94F55F0C15D14D1706205A043EF9515C9A11ECFDE374A43953BF65A4B689C55 |
SSDEEP: | 196608:qmzj6KlMgimOWQ7cJsdYF9htgIpUNoucBC2y/w+KenpByM0A4rn0D0ys48:qBgimOv7cJsdY9KcBC9qrn0D0n48 |
.exe | | | Win32 EXE PECompact compressed (generic) (21.4) |
---|---|---|
.exe | | | Win64 Executable (generic) (14.2) |
.exe | | | Win32 Executable (generic) (2.3) |
.exe | | | Generic Win/DOS Executable (1) |
ProductVersion: | 1,0,8,19625 |
---|---|
ProductName: | 风云压缩 |
OriginalFileName: | Install.exe |
LegalCopyright: | Copyright (C) 2019 |
InternalName: | 风云压缩 |
FileVersion: | 1.0.8.19625 |
FileDescription: | 风云压缩 |
CompanyName: | 浙江自贸区耀光网络科技有限公司 |
CharacterSet: | Unicode |
LanguageCode: | Chinese (Simplified) |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x0017 |
ProductVersionNumber: | 1.0.8.19625 |
FileVersionNumber: | 1.0.8.19625 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x4389d |
UninitializedDataSize: | - |
InitializedDataSize: | 7682048 |
CodeSize: | 1577984 |
LinkerVersion: | 14 |
PEType: | PE32 |
TimeStamp: | 2019:06:25 15:46:23+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 25-Jun-2019 13:46:23 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | 浙江自贸区耀光网络科技有限公司 |
FileDescription: | 风云压缩 |
FileVersion: | 1.0.8.19625 |
InternalName: | 风云压缩 |
LegalCopyright: | Copyright (C) 2019 |
OriginalFilename: | Install.exe |
ProductName: | 风云压缩 |
ProductVersion: | 1,0,8,19625 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000138 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 7 |
Time date stamp: | 25-Jun-2019 13:46:23 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x00181223 | 0x00181400 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.63791 |
.rdata | 0x00183000 | 0x00068AC4 | 0x00068C00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.65602 |
.data | 0x001EC000 | 0x000124CC | 0x0000B400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.22463 |
.gfids | 0x001FF000 | 0x000001B4 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.50573 |
.tls | 0x00200000 | 0x00000009 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0203931 |
.rsrc | 0x00201000 | 0x006CA960 | 0x006CAA00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.9707 |
.reloc | 0x008CC000 | 0x000148D4 | 0x00014A00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.57546 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.41141 | 1260 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 5.99013 | 67624 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
3 | 6.16355 | 38056 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
4 | 6.1269 | 21640 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
5 | 5.96956 | 16936 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
6 | 6.08982 | 9640 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
7 | 5.92339 | 4264 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
8 | 5.83767 | 1128 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
101 | 2.94794 | 118 | Latin 1 / Western European | Chinese - PRC | RT_GROUP_ICON |
SKINDATA | 7.99403 | 335562 | Latin 1 / Western European | Chinese - PRC | ZIPRES |
ADVAPI32.dll |
COMCTL32.dll |
CRYPT32.dll |
GDI32.dll |
IMM32.dll |
IPHLPAPI.DLL |
KERNEL32.dll |
OLEAUT32.dll |
PSAPI.DLL |
SHELL32.dll |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2296 | "C:\Users\admin\AppData\Local\Temp\setup_FYunZip.exe" | C:\Users\admin\AppData\Local\Temp\setup_FYunZip.exe | — | explorer.exe |
User: admin Company: 浙江自贸区耀光网络科技有限公司 Integrity Level: MEDIUM Description: 风云压缩 Exit code: 3221226540 Version: 1.0.8.19625 | ||||
1868 | "C:\Users\admin\AppData\Local\Temp\setup_FYunZip.exe" | C:\Users\admin\AppData\Local\Temp\setup_FYunZip.exe | explorer.exe | |
User: admin Company: 浙江自贸区耀光网络科技有限公司 Integrity Level: HIGH Description: 风云压缩 Version: 1.0.8.19625 | ||||
2980 | taskkill /f /im Config.exe | C:\Windows\system32\taskkill.exe | — | setup_FYunZip.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2276 | taskkill /f /im Service.exe | C:\Windows\system32\taskkill.exe | — | setup_FYunZip.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2400 | taskkill /f /im Kit.exe | C:\Windows\system32\taskkill.exe | — | setup_FYunZip.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1716 | taskkill /f /im Slctk.exe | C:\Windows\system32\taskkill.exe | — | setup_FYunZip.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2312 | taskkill /f /im Uninst.exe | C:\Windows\system32\taskkill.exe | — | setup_FYunZip.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3380 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1940 | "C:\Program Files\FYunZip\Slctk.exe" SpdOp --NewQID fyunzip****** --Silent false | C:\Program Files\FYunZip\Slctk.exe | setup_FYunZip.exe | |
User: admin Company: 浙江自贸区耀光网络科技有限公司 Integrity Level: HIGH Description: 风云压缩 Version: 1.0.8.19625 | ||||
184 | "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\FYunZip\FYunZip.ini | C:\Windows\system32\NOTEPAD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1868 | setup_FYunZip.exe | C:\Users\admin\AppData\Local\Temp\FYunZip-31604-7zData.7z | — | |
MD5:— | SHA256:— | |||
1868 | setup_FYunZip.exe | C:\Program Files\FYunZip\Lang\zh-cn.txt | text | |
MD5:F651D44C7EDD6A12F09FDFCE81F75516 | SHA256:0A4C2424D9349091E8B97FDDFABBBD6C633CE4B9E12DEE35EB61FF8106B41E37 | |||
1868 | setup_FYunZip.exe | C:\Program Files\FYunZip\FYunZip.ini | text | |
MD5:22BB6101C692AB5B3E1D8321EACF6F5B | SHA256:A29E995CB3564BC1E6AD2E0B37977F4F3F9BC56447DDEA9688B6C8A75595E95D | |||
1868 | setup_FYunZip.exe | C:\Users\admin\AppData\LocalLow\FYunZip\CfgPath\SyHj.src | text | |
MD5:C73743F9B266A8892828011C86F853EC | SHA256:D83F5A964F42F7D4F5EEDBE344780D1D73C22F383F2E6A4D94FC7FF484ADDB33 | |||
1868 | setup_FYunZip.exe | C:\Program Files\Common Files\FYunZip\FYunZip.ini | text | |
MD5:6D86F106E05339D95B6D0FBB34EE590F | SHA256:BB2ABA1AF6DD9E75F6AB3F359D2116AD0A76643323CC62D80E5909E0251FC0CF | |||
1868 | setup_FYunZip.exe | C:\Program Files\FYunZip\Setting\AlgorithmConfig.xml | xml | |
MD5:D3517B07CFF8652912B5DBD5B10C22AB | SHA256:2634C31C0AB0717E8A40FA62F9538A57BCB1065F5A65B44BF07F76A2138F7F62 | |||
1868 | setup_FYunZip.exe | C:\Program Files\FYunZip\Host.exe | executable | |
MD5:84A7F0054F049D960668D792AEB08D45 | SHA256:E22EB308441C04CFE0CFCDB38F48C008BBD6E203C879DDE558E8D33252AE7C5C | |||
1868 | setup_FYunZip.exe | C:\Program Files\FYunZip\Setting\FilterConfig.xml | xml | |
MD5:47B7A11DF71A074AE38BC52DA976401F | SHA256:5645B2234B8BF80D6568661D49497E1FE3D6F976580F7C8399DBE04469DCDC6E | |||
1868 | setup_FYunZip.exe | C:\Program Files\FYunZip\Kit.exe | executable | |
MD5:EE34CB8B50F3DE999DAFA0A332620CE0 | SHA256:FD9C3B6123AF69DDAD216B6648B6F68A15257A9751654104CB2BC2D2891F4BAD | |||
1868 | setup_FYunZip.exe | C:\Program Files\FYunZip\Reg.exe | executable | |
MD5:DABD2E2647040E21ADDEB36F12691316 | SHA256:D97F39863FE2246689CD9F0FADCFA1B97648A2B0C5E3127B70C404A8F493BF43 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1940 | Slctk.exe | GET | — | 112.124.193.155:80 | http://sc.yaoguangsoft.cn/tm.php | CN | — | — | malicious |
1868 | setup_FYunZip.exe | GET | — | 112.124.193.155:80 | http://sc.yaoguangsoft.cn/tm.php | CN | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1868 | setup_FYunZip.exe | 112.124.193.155:80 | sc.yaoguangsoft.cn | Hangzhou Alibaba Advertising Co.,Ltd. | CN | malicious |
1940 | Slctk.exe | 112.124.193.155:80 | sc.yaoguangsoft.cn | Hangzhou Alibaba Advertising Co.,Ltd. | CN | malicious |
Domain | IP | Reputation |
---|---|---|
sc.yaoguangsoft.cn |
| malicious |