popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

PianoScrap.exe

Gen1 NPKI Emotet North Korea Generic Malware Admin Tool (Sysinternals etc ...) Antivirus VMProtect Http API Anti_VM .NET DLL AntiDebug PNG Format OS Processor Check .NET EXE GIF Format PE64 PE File DLL AntiVM MSOffice File PE32
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 June 24, 2021, 7:29 p.m. June 24, 2021, 7:37 p.m.
Size 83.9KB
Type PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5 2e765a8048bcd67f293f11db938e77c3
SHA256 5f7322f79d8ce25a52aadf16b3f068169990cda606fb287d74fd5957c250c3b5
CRC32 9440100D
ssdeep 1536:lTViOcRUBWC2jZP2ITQX5+e7ZnbHJNvgKWEJ4AZD6nm3ZjayurLT:lTUOPWC/IUJtZnbHJGc4w6m3ZjayILT
Yara
  • PE_Header_Zero - PE File Signature
  • IsPE32 - (no description)

Name Response Post-Analysis Lookup
kl.hnayg.com
A 59.110.159.69
59.110.159.69
down.rxgif.cn
A 119.206.200.180
CNAME down.rxgif.cn.wsdvs.com
119.206.200.180
mxreport.whooyan.com
A 101.200.147.119
CNAME alb-tq7idna5ozx1ubkccw.cn-beijing.alb.aliyuncs.com
A 123.56.69.34
101.200.147.119
g.zapi.binghuokeji.cn
A 202.122.145.86
A 119.206.200.181
CNAME g.zapi.binghuokeji.cn.wswebcdn.com
A 163.171.198.117
163.171.198.117
download.52pcfree.com
CNAME download-52pcfree-com-idvfb3j.qiniudns.com
CNAME chinacdndownload.channel.qiniu.com.w.alikunlun.com
A 125.77.167.184
A 125.77.167.183
125.77.167.184
www.baidu.com
CNAME www.a.shifen.com
CNAME www.wshifen.com
A 119.63.197.151
A 119.63.197.139
119.63.197.139
tj.wdmuz.com
A 106.75.31.186
106.75.31.186
u-d-office.lanshan.com
A 49.233.242.159
49.233.242.159
infoc2.duba.net
CNAME infoc-02.gz.1252921383.clb.myqcloud.com
A 211.159.130.100
111.230.117.40
union.infoc.duba.net
CNAME infoc-24.gz.1252921383.clb.myqcloud.com
A 211.159.130.115
CNAME infoc2.duba.net
193.112.235.183
api.mxgcat.wang
A 119.39.80.117
A 211.91.160.226
A 123.6.2.103
A 118.212.225.122
CNAME api.mxgcat.wang.cdn.dnsv1.com
A 119.36.33.98
A 42.56.79.236
A 119.6.229.137
A 211.91.160.215
A 119.36.226.154
A 14.204.144.133
A 116.162.88.71
A 36.248.43.220
A 119.36.226.151
CNAME 7v9fptsn.sched.sma.tdnsv5.com
A 101.206.209.250
A 119.6.229.138
42.56.79.236
down.gametoplist.top
A 120.52.95.242
A 218.12.76.150
CNAME down.gametoplist.top.9d8ea365.c.cdnhwc1.com
CNAME hcdnd101.gslb.c.cdnhwc2.com
A 218.12.76.151
A 120.52.95.243
218.12.76.151
dbsu.cmcm.com
A 111.230.160.42
111.230.160.42
info.52pcfree.com
A 139.199.214.236
139.199.214.236
config.i.duba.net
CNAME config.i.duba.net.w.kunlunar.com
A 180.97.251.192
180.97.251.192
dn.earpan.com
CNAME dn.earpan.com.w.kunlungr.com
A 61.172.205.219
61.172.205.219
report.thorzip.muxin.fun
xz.8dashi.com
A 119.206.200.180
CNAME xz.8dashi.com.wsdvs.com
119.206.200.180
down2.thorzip.muxin.fun
A 119.39.80.117
A 36.248.43.220
A 123.6.2.103
A 118.212.225.122
A 119.36.33.98
A 14.204.144.133
A 42.56.79.236
A 119.6.229.137
A 211.91.160.215
A 119.36.226.154
CNAME down2.thorzip.muxin.fun.cdn.dnsv1.com
A 116.162.88.71
A 211.91.160.226
A 119.36.226.151
CNAME kyedygzy.sched.sma.tdnsv5.com
A 101.206.209.250
A 119.6.229.138
119.36.226.154
s.syzs.qq.com
A 211.152.132.118
A 211.152.133.50
A 211.152.132.122
CNAME s.syzs.qq.com.cdn.dnsv1.com
CNAME 0ign8j4l.tweb.sched.ovscdns.com
A 203.205.157.59
211.152.132.122
shdl.wdmuz.com
A 119.206.200.180
CNAME shdl.wdmuz.com.wsdvs.com
119.206.200.180
down.wdmuz.com
CNAME down.wdmuz.com.wsglb0.com
A 119.206.200.181
119.206.200.181
infoc0.duba.net
CNAME 1543586316.gz.1252921383.clb.myqcloud.com
A 111.230.117.40
CNAME infoc2.duba.net
119.29.47.96
down1.thorzip.muxin.fun
A 101.206.209.250
CNAME down1.thorzip.muxin.fun.cdn.dnsv1.com
A 36.248.43.220
A 123.6.2.103
A 118.212.225.122
A 119.36.33.98
A 119.6.229.137
A 211.91.160.215
A 119.36.226.154
A 14.204.144.133
A 116.162.88.71
A 211.91.160.226
A 119.6.229.138
A 119.39.80.117
A 119.36.226.151
CNAME cdqz13bq.sched.sma.tdnsv5.com
A 42.56.79.236
119.39.80.117
down1.abckantu.com
CNAME 584831.sched.sma.tdnsv5.com
A 119.39.80.117
A 36.248.43.220
A 123.6.2.103
CNAME down1.abckantu.com.cdn.dnsv1.com
A 118.212.225.122
A 119.36.33.98
A 42.56.79.236
A 119.6.229.137
A 211.91.160.215
A 119.36.226.154
A 14.204.144.133
A 116.162.88.71
A 211.91.160.226
A 119.6.229.138
A 101.206.209.250
A 119.36.226.151
42.56.79.236
tj.rxgif.cn
A 106.75.135.138
106.75.135.138
union.juzizm.com
A 106.75.135.138
106.75.135.138
report.uchiha.ltd
A 47.93.117.198
A 123.57.234.67
CNAME alb-0o46vs8uc2j3widdyt.cn-beijing.alb.aliyuncs.com
A 101.200.200.128
CNAME alb-fjo50ar4efat2p15gp.cn-beijing.alb.aliyuncs.com
A 47.95.193.173
47.95.193.173
p.zapi.binghuokeji.cn
A 202.122.145.86
A 119.206.200.181
CNAME p.zapi.binghuokeji.cn.wswebcdn.com
A 163.171.198.117
163.171.198.117
dl.binghuokeji.cn
A 119.206.200.180
CNAME dl.binghuokeji.cn.wsdvs.com
119.206.200.180
cdn-office.lanshan.com
A 119.39.80.117
CNAME cdn-office.lanshan.com.cdn.dnsv1.com
A 123.6.2.103
A 118.212.225.122
A 119.36.33.98
A 42.56.79.236
A 119.6.229.137
A 211.91.160.215
A 119.36.226.154
A 14.204.144.133
A 116.162.88.71
A 36.248.43.220
A 119.36.226.151
A 119.6.229.138
A 211.91.160.226
A 101.206.209.250
CNAME j8giwhbh.sched.sma.tdnsv5.com
14.204.144.133
IP Address Status Action
106.75.135.138 Active Moloch
119.206.200.181 Active Moloch
125.77.167.183 Active Moloch
106.75.31.186 Active Moloch
111.230.117.40 Active Moloch
111.230.160.42 Active Moloch
119.206.200.180 Active Moloch
119.36.226.154 Active Moloch
119.36.33.98 Active Moloch
119.39.80.117 Active Moloch
119.6.229.138 Active Moloch
119.63.197.151 Active Moloch
120.52.95.242 Active Moloch
123.56.69.34 Active Moloch
123.57.234.67 Active Moloch
139.199.214.236 Active Moloch
163.171.198.117 Active Moloch
164.124.101.2 Active Moloch
172.217.25.14 Active Moloch
180.97.251.192 Active Moloch
202.122.145.86 Active Moloch
211.152.132.122 Active Moloch
211.159.130.100 Active Moloch
211.159.130.115 Active Moloch
211.91.160.215 Active Moloch
36.248.43.220 Active Moloch
42.56.79.236 Active Moloch
49.233.242.159 Active Moloch
61.172.205.219 Active Moloch
47.95.193.173 Active Moloch
59.110.159.69 Active Moloch

Suricata Alerts

Flow SID Signature Category
UDP 192.168.56.102:61459 -> 164.124.101.2:53 2023883 ET DNS Query to a *.top domain - Likely Hostile Potentially Bad Traffic
TCP 192.168.56.102:49808 -> 120.52.95.242:80 2022896 ET HUNTING SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016 A Network Trojan was detected
TCP 192.168.56.102:49808 -> 120.52.95.242:80 2023882 ET INFO HTTP Request to a *.top domain Potentially Bad Traffic
TCP 120.52.95.242:80 -> 192.168.56.102:49808 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 120.52.95.242:80 -> 192.168.56.102:49808 2023464 ET HUNTING Possible EXE Download From Suspicious TLD Misc activity
TCP 211.152.132.122:80 -> 192.168.56.102:49810 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 125.77.167.183:80 -> 192.168.56.102:49812 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 119.6.229.138:80 -> 192.168.56.102:49815 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 119.6.229.138:80 -> 192.168.56.102:49815 2014520 ET INFO EXE - Served Attached HTTP Misc activity
TCP 119.206.200.180:80 -> 192.168.56.102:49817 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 119.39.80.117:80 -> 192.168.56.102:49823 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 119.206.200.180:80 -> 192.168.56.102:49855 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49838 -> 106.75.135.138:80 2011227 ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) Potentially Bad Traffic
TCP 192.168.56.102:49850 -> 106.75.135.138:80 2011227 ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) Potentially Bad Traffic
TCP 192.168.56.102:49850 -> 106.75.135.138:80 2011227 ET USER_AGENTS Observed Suspicious UA (NSIS_Inetc (Mozilla)) Potentially Bad Traffic
TCP 192.168.56.102:49831 -> 119.206.200.180:80 2012392 ET MALWARE Suspicious Download Setup_ exe A Network Trojan was detected
TCP 119.206.200.180:80 -> 192.168.56.102:49831 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49878 -> 111.230.117.40:80 2003492 ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) Potentially Bad Traffic
TCP 125.77.167.183:80 -> 192.168.56.102:49879 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation
TCP 192.168.56.102:49996 -> 211.159.130.115:80 2003492 ET HUNTING Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0) Potentially Bad Traffic
TCP 211.91.160.215:80 -> 192.168.56.102:50025 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation

Suricata TLS

Flow Issuer Subject Fingerprint
TLS 1.2
192.168.56.102:49860
49.233.242.159:443 		C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA CN=*.lanshan.com a8:d7:0b:b8:11:9b:5d:14:90:80:41:9d:82:44:17:2f:76:19:a6:a1
TLS 1.2
192.168.56.102:49863
42.56.79.236:443 		C=CN, O=TrustAsia Technologies, Inc., OU=Domain Validated SSL, CN=TrustAsia TLS RSA CA CN=*.lanshan.com a8:d7:0b:b8:11:9b:5d:14:90:80:41:9d:82:44:17:2f:76:19:a6:a1

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
file C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
section .ndata
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 16184180
registers.edi: 7120860
registers.eax: 16184180
registers.ebp: 16184260
registers.edx: 6973242
registers.ebx: 16184544
registers.esi: 2147746133
registers.ecx: 7095528
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74f8c048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x74f58926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x74f5d55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74f8c44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x74f5d1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x74f5d1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x74f5d40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x74f5991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x74f58d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x70a66f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x70a66e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x70a627a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x70a62652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x70a6253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x70a62411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x70a625ab
wmic+0x39c80 @ 0x1029c80
wmic+0x3b06a @ 0x102b06a
wmic+0x3b1f8 @ 0x102b1f8
wmic+0x36fcd @ 0x1026fcd
wmic+0x3d6e9 @ 0x102d6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 2287368
registers.edi: 1957755408
registers.eax: 2287368
registers.ebp: 2287448
registers.edx: 1
registers.ebx: 6836836
registers.esi: 2147746133
registers.ecx: 3278837057
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x74b24387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74d4ef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74d46b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74d46a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74d65c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x74de06b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x74bfd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x74bfd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x74bfddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x74b18a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x74b18938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x74b1950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x74bfdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x74bfdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x74bfe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x74b19367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x74b19326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x74ada48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x74ad853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x74ada4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x74aecd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x74aed87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 46592848
registers.edi: 7133044
registers.eax: 46592848
registers.ebp: 46592928
registers.edx: 10
registers.ebx: 46593212
registers.esi: 2147746133
registers.ecx: 7111968
1 0 0

__exception__

 stacktrace: 
RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74d5374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x74bff725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74d6414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x74acfe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x74bfa338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x74f8e99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x74f672ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x74f5ab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x74f8c048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x74f587f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x74f58926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x74f5d55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x74f8c44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x74f5d1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x74f5d1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x74f5d40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x74f5991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x74f58d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x74f5a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x74f59b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x74f59aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x6ff76f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x6ff76e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x6ff727a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x6ff72652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x6ff7253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x6ff72411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x6ff725ab
wmic+0x39c80 @ 0x4c9c80
wmic+0x3b06a @ 0x4cb06a
wmic+0x3b1f8 @ 0x4cb1f8
wmic+0x36fcd @ 0x4c6fcd
wmic+0x3d6e9 @ 0x4cd6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x76a7b727
registers.esp: 2025520
registers.edi: 1957755408
registers.eax: 2025520
registers.ebp: 2025600
registers.edx: 1
registers.ebx: 6836836
registers.esi: 2147746133
registers.ecx: 3345392110
1 0 0

__exception__

 stacktrace: 
?AddItem@ReportHelper@business_publish@@QAEHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@HAAV?$vector@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@V?$allocator@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@@2@@4@@Z+0x48328 ??_7?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@6B@-0x2da64 k52zip20210520-220-21+0xa67e8 @ 0x4a67e8
?AddItem@ReportHelper@business_publish@@QAEHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@HAAV?$vector@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@V?$allocator@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@@2@@4@@Z+0x4d6cc ??_7?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@6B@-0x286c0 k52zip20210520-220-21+0xabb8c @ 0x4abb8c
?AddItem@ReportHelper@business_publish@@QAEHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@HAAV?$vector@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@V?$allocator@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@@2@@4@@Z+0x516af ??_7?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@6B@-0x246dd k52zip20210520-220-21+0xafb6f @ 0x4afb6f
?AddItem@ReportHelper@business_publish@@QAEHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@HAAV?$vector@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@V?$allocator@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@@2@@4@@Z+0x5369b ??_7?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@6B@-0x226f1 k52zip20210520-220-21+0xb1b5b @ 0x4b1b5b
?AddItem@ReportHelper@business_publish@@QAEHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@HAAV?$vector@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@V?$allocator@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@@2@@4@@Z+0x537ab ??_7?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@6B@-0x225e1 k52zip20210520-220-21+0xb1c6b @ 0x4b1c6b
?AddItem@ReportHelper@business_publish@@QAEHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@HAAV?$vector@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@V?$allocator@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@@2@@4@@Z+0x59140 ??_7?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@6B@-0x1cc4c k52zip20210520-220-21+0xb7600 @ 0x4b7600
??1ReportHelper@business_publish@@UAE@XZ+0x5b6 ??0?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@QAE@XZ-0x34e k52zip20210520-220-21+0x59ee2 @ 0x459ee2
??1ReportHelper@business_publish@@UAE@XZ+0x2e2 ??0?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@QAE@XZ-0x622 k52zip20210520-220-21+0x59c0e @ 0x459c0e
?BeginThreadFun@?$kxThreadBase@VLocker@kbase@@@kbase@@MAEXXZ-0x7685 k52zip20210520-220-21+0x4f76c @ 0x44f76c
?BeginThreadFun@?$kxThreadBase@VLocker@kbase@@@kbase@@MAEXXZ-0x8e95 k52zip20210520-220-21+0x4df5c @ 0x44df5c
?BeginThreadFun@?$kxThreadBase@VLocker@kbase@@@kbase@@MAEXXZ-0x8f1f k52zip20210520-220-21+0x4ded2 @ 0x44ded2
?BeginThreadFun@?$kxThreadBase@VLocker@kbase@@@kbase@@MAEXXZ-0x1a10 k52zip20210520-220-21+0x553e1 @ 0x4553e1
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a
?BeginThreadFun@?$kxThreadBase@VLocker@kbase@@@kbase@@MAEXXZ-0x5b95 k52zip20210520-220-21+0x5125c @ 0x45125c
?BeginThreadFun@?$kxThreadBase@VLocker@kbase@@@kbase@@MAEXXZ-0x63bf k52zip20210520-220-21+0x50a32 @ 0x450a32
0x600e4

exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45
exception.symbol: ?AddItem@ReportHelper@business_publish@@QAEHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@HAAV?$vector@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@V?$allocator@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@@2@@4@@Z+0x4819b ??_7?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@6B@-0x2dbf1 k52zip20210520-220-21+0xa665b
exception.instruction: in eax, dx
exception.module: k52zip20210520-220-21.exe
exception.exception_code: 0xc0000096
exception.offset: 681563
exception.address: 0x4a665b
registers.esp: 1633916
registers.edi: 1634936
registers.eax: 1447909480
registers.ebp: 1633976
registers.edx: 22104
registers.ebx: 0
registers.esi: 1634936
registers.ecx: 10
1 0 0
suspicious_features HTTP version 1.0 used suspicious_request GET http://xz.8dashi.com/qd/mastercfgoo.ini?v2021062544904
suspicious_features HTTP version 1.0 used suspicious_request GET http://down.gametoplist.top/60b5f24b88583/IMedia-553.exe
suspicious_features HTTP version 1.0 used suspicious_request GET http://s.syzs.qq.com/channel/6/17100/syzs03_1000219144.exe
suspicious_features HTTP version 1.0 used suspicious_request GET http://download.52pcfree.com/fastpdf/Fastpdf_setup_ver21042017.420.1.1.1.exe
suspicious_features HTTP version 1.0 used suspicious_request GET http://down2.thorzip.muxin.fun/tiangua_2/leishenzip_247915520_tiangua_001.exe
suspicious_features HTTP version 1.0 used suspicious_request GET http://dl.binghuokeji.cn/d/ghwuxPEi/FlashZip_2710.exe
suspicious_features GET method with no useragent header suspicious_request GET http://down2.thorzip.muxin.fun/60fffd6d5d24aa987a843c4d3a0980b4.data
suspicious_features GET method with no useragent header suspicious_request GET http://api.mxgcat.wang/84e3aa4c7cb77c6933867ee34cb49c32.md5
suspicious_features HTTP version 1.0 used suspicious_request GET http://cdn-office.lanshan.com/package/tui/downloadtool/office/OfficeDownloaderInstall_0_100016_lanshan.exe
suspicious_features GET method with no useragent header suspicious_request GET http://api.mxgcat.wang/84e3aa4c7cb77c6933867ee34cb49c32.json
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://mxreport.whooyan.com/
suspicious_features HTTP version 1.0 used suspicious_request GET http://down.rxgif.cn/ddxm/Setup_10011.exe
suspicious_features POST method with no referer header suspicious_request POST http://union.juzizm.com/api/count/setup2
suspicious_features POST method with no referer header suspicious_request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/pkg/l1
suspicious_features HTTP version 1.0 used suspicious_request GET http://dn.earpan.com/store/pic_soft45181.exe
suspicious_features POST method with no referer header suspicious_request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i5
suspicious_features POST method with no referer header suspicious_request POST http://dbsu.cmcm.com/uv?t=1624564187
suspicious_features POST method with no referer header suspicious_request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i6
suspicious_features POST method with no referer header suspicious_request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/s1
suspicious_features POST method with no referer header suspicious_request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i2
suspicious_features POST method with no referer header suspicious_request POST http://tj.rxgif.cn/api/logs
suspicious_features HTTP version 1.0 used suspicious_request GET http://down.rxgif.cn/DBlink/LnockRarsly.exe
suspicious_features POST method with no referer header suspicious_request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/s4
suspicious_features POST method with no referer header suspicious_request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/popup/p1
suspicious_features POST method with no referer header suspicious_request POST http://infoc0.duba.net/nep/v1/
suspicious_features HTTP version 1.0 used suspicious_request GET http://download.52pcfree.com/k52zip/k52zip20210520-220-21.exe
suspicious_features GET method with no useragent header suspicious_request GET http://tj.wdmuz.com/lc-spbj.php?uid=262f2de5d68b2fac5ccaac65dbf7853f&qid=null&softname=bangong&softid=shanzip&softver=
suspicious_features GET method with no useragent header suspicious_request GET http://shdl.wdmuz.com/bjlc/87cbca115561d04afe4c965dd803098a.cdd?rand=85070
suspicious_features GET method with no useragent header suspicious_request GET http://tj.wdmuz.com/pipil.php
suspicious_features GET method with no useragent header suspicious_request GET http://kl.hnayg.com/zkactive/ctl/v2/qinfo.html?uid=74a6032aa894c3a537de6d362f685c90
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://tj.rxgif.cn/api/live/server
suspicious_features POST method with no referer header suspicious_request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/l2
suspicious_features GET method with no useragent header suspicious_request GET http://down1.thorzip.muxin.fun/report/queryinfo.xml
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://info.52pcfree.com/c/
suspicious_features POST method with no referer header suspicious_request POST http://infoc2.duba.net/c/
suspicious_features POST method with no referer header suspicious_request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/s3
suspicious_features POST method with no referer header suspicious_request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/r1
suspicious_features POST method with no referer header suspicious_request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/r2
suspicious_features POST method with no referer header suspicious_request POST http://union.infoc.duba.net/nep/v1/
suspicious_features GET method with no useragent header suspicious_request GET http://config.i.duba.net/rcmdsoft/11/1/sencecfg.dat
suspicious_features GET method with no useragent header suspicious_request GET http://config.i.duba.net/rcmdsoft/db/kzip_install_pushdb02.zip
suspicious_features HTTP version 1.0 used suspicious_request GET http://down1.abckantu.com/shouheng_1/abckantu_2722097895_shouheng_001.exe
suspicious_features GET method with no useragent header suspicious_request GET http://down1.abckantu.com/11a9df7ff83a058afaadb5a09da594ae.data
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://report.uchiha.ltd/
request GET http://xz.8dashi.com/qd/mastercfgoo.ini?v2021062544904
request GET http://down.gametoplist.top/60b5f24b88583/IMedia-553.exe
request GET http://s.syzs.qq.com/channel/6/17100/syzs03_1000219144.exe
request GET http://download.52pcfree.com/fastpdf/Fastpdf_setup_ver21042017.420.1.1.1.exe
request GET http://down2.thorzip.muxin.fun/tiangua_2/leishenzip_247915520_tiangua_001.exe
request GET http://dl.binghuokeji.cn/d/ghwuxPEi/FlashZip_2710.exe
request GET http://down2.thorzip.muxin.fun/60fffd6d5d24aa987a843c4d3a0980b4.data
request GET http://api.mxgcat.wang/84e3aa4c7cb77c6933867ee34cb49c32.md5
request GET http://cdn-office.lanshan.com/package/tui/downloadtool/office/OfficeDownloaderInstall_0_100016_lanshan.exe
request GET http://api.mxgcat.wang/84e3aa4c7cb77c6933867ee34cb49c32.json
request POST http://mxreport.whooyan.com/
request GET http://down.rxgif.cn/ddxm/Setup_10011.exe
request GET http://g.zapi.binghuokeji.cn/?r=/v3/cp/d&p=xLuKkTD7FYrn1KGf0d1pS8VsD0RJ%2BB/azLdXTIBJEaZEgoZX6k3g9qcj6f1izDRQaHEbdKVMY0KnIblHwcjmrg%3D%3D
request GET http://dl.binghuokeji.cn/img/tbmsc.jpg
request GET http://g.zapi.binghuokeji.cn/?r=/v3/cp/i&p=SxInsX/RJYZFLz7ztyfMIDL%2BGa9IB3Wjc0bUqn3/WR3cqUoBQ1fPqp/GqBYrObWp/4LvN/YAJhMOXv%2BfLeFo3w%3D%3D
request GET http://g.zapi.binghuokeji.cn/?r=/v3/cp/c&p=PHOja0XI6Hpo1VJzU/gs6k0Ptg8TIvoCwg%2Bx8C0Vu7iDJfI9mnwYtk%2BKuGb/ttx2TQpoRsLAIagyRsjWT58KK4i1X1%2BYNCfaVA3ifMdOA48%3D
request GET http://g.zapi.binghuokeji.cn/microtime/
request POST http://union.juzizm.com/api/count/setup2
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/pkg/l1
request GET http://g.zapi.binghuokeji.cn/?r=/v3/cp/b&p=bySKbGTEED0if6D4enWJnWJTLowuVo4px%2BMb6fdzGdjzXRqdb9RUIhq0hUIjjfYK
request GET http://dn.earpan.com/store/pic_soft45181.exe
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i5
request POST http://dbsu.cmcm.com/uv?t=1624564187
request GET http://g.zapi.binghuokeji.cn/?r=/v3/cp/r&p=bySKbGTEED0if6D4enWJnWJTLowuVo4px%2BMb6fdzGdjzXRqdb9RUIhq0hUIjjfYK
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i6
request GET http://g.zapi.binghuokeji.cn/?r=/v3/cp/b&p=VmyjhZ1V79QDl18vfKISlyjyKkbpyH4HuhPbyes/VOY8dEbsXOgBetY77HbUlW17
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/s1
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i2
request POST http://tj.rxgif.cn/api/logs
request GET http://tj.rxgif.cn/api/down/dd
request GET http://g.zapi.binghuokeji.cn/?r=/v3/cp/u&p=VmyjhZ1V79QDl18vfKISlyjyKkbpyH4HuhPbyes/VOY8dEbsXOgBetY77HbUlW17
request GET http://down.rxgif.cn/DBlink/LnockRarsly.exe
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/s4
request GET http://g.zapi.binghuokeji.cn/?r=/v3/pp/l&p=bySKbGTEED0if6D4enWJnQxZaCtGpyNwvR1%2BjP1o3N4fMVR0FYSSXYKpiwlwIdeg
request GET http://g.zapi.binghuokeji.cn/?r=/v3/pp/lf&p=bySKbGTEED0if6D4enWJnQxZaCtGpyNwvR1%2BjP1o3N4fMVR0FYSSXYKpiwlwIdeg
request GET http://g.zapi.binghuokeji.cn/?r=/v3/pp/tl&p=bySKbGTEED0if6D4enWJnWJTLowuVo4px%2BMb6fdzGdjzXRqdb9RUIhq0hUIjjfYK
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/popup/p1
request GET http://g.zapi.binghuokeji.cn/?r=/v3/cp/t&p=bySKbGTEED0if6D4enWJnWJTLowuVo4px%2BMb6fdzGdjzXRqdb9RUIhq0hUIjjfYK
request POST http://infoc0.duba.net/nep/v1/
request GET http://download.52pcfree.com/k52zip/k52zip20210520-220-21.exe
request GET http://g.zapi.binghuokeji.cn/?r=/v3/cp/d&p=xLuKkTD7FYrn1KGf0d1pS4JsN/4dJva6ouBTswyspvZHobJcEPjUq0ampBCtF858ClIqSQQ5jhcq7JuelnnYNQ%3D%3D
request GET http://dl.binghuokeji.cn/img/mtcf.png
request GET http://dl.binghuokeji.cn/FlashZip/tsk_bjrj
request GET http://tj.wdmuz.com/lc-spbj.php?uid=262f2de5d68b2fac5ccaac65dbf7853f&qid=null&softname=bangong&softid=shanzip&softver=
request GET http://shdl.wdmuz.com/bjlc/87cbca115561d04afe4c965dd803098a.cdd?rand=85070
request GET http://dl.binghuokeji.cn/d/imgs/syyng.png
request GET http://down.wdmuz.com/wy/wyp1.dat?48507900
request HEAD http://down.wdmuz.com/wy/wyp1.dat
request GET http://tj.wdmuz.com/pipil.php
request GET http://kl.hnayg.com/zkactive/ctl/v2/qinfo.html?uid=74a6032aa894c3a537de6d362f685c90
request POST http://mxreport.whooyan.com/
request POST http://union.juzizm.com/api/count/setup2
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/pkg/l1
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i5
request POST http://dbsu.cmcm.com/uv?t=1624564187
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i6
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/s1
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/i2
request POST http://tj.rxgif.cn/api/logs
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/s4
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/popup/p1
request POST http://infoc0.duba.net/nep/v1/
request POST http://tj.rxgif.cn/api/live/server
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/l2
request POST http://info.52pcfree.com/c/
request POST http://infoc2.duba.net/c/
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/s3
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/r1
request POST http://p.zapi.binghuokeji.cn/?r=/v2/statistics/soft/r2
request POST http://union.infoc.duba.net/nep/v1/
request POST http://report.uchiha.ltd/
domain down.gametoplist.top description Generic top level domain TLD
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 7204
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x1000b000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7204
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x740f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7204
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73db1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7204
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73771000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7204
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73772000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1848
region_size: 528384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000aab0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1848
region_size: 1474560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000180000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffffffffffff
-1073741800 0

NtAllocateVirtualMemory

 process_identifier: 1848
region_size: 1474560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000cd40000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1848
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000009f20000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1848
region_size: 1474560
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000cd40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1848
region_size: 1069056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000cd41000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1848
region_size: 286720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000ce46000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1848
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000ce8c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1848
region_size: 53248
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000ce96000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1848
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000cea3000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1848
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000cea4000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1848
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000cea5000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1848
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000cea6000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1848
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0000000009fd0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1848
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000a110000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 1848
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x000000000a1a0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffffffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 7664
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x072b0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x6e621000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72821000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73dd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66ab1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66a91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66a71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76891000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x77371000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 7664
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66c91000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5960
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009e0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743c1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5960
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02f50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02fa0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 5960
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x032d0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73ef1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73cd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73cb1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x743b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x740d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72821000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73dd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66e51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 5960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x66ab1000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 13292847104
root_path: C:\
total_number_of_bytes: 0
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 12909277184
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer
total_number_of_bytes: 0
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 12909092864
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer
total_number_of_bytes: 0
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 12883189760
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer
total_number_of_bytes: 0
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 0
free_bytes_available: 12770594816
root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer
total_number_of_bytes: 0
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 13215735808
free_bytes_available: 0
root_path: C:\
total_number_of_bytes: 0
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 12912467968
free_bytes_available: 0
root_path: C:\Windows\system32
total_number_of_bytes: 0
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 12771389440
free_bytes_available: 0
root_path: C:\Windows\system32
total_number_of_bytes: 0
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 12771102720
free_bytes_available: 0
root_path: C:\
total_number_of_bytes: 0
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 12771102720
free_bytes_available: 0
root_path: C:\
total_number_of_bytes: 0
1 1 0

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 12698918912
free_bytes_available: 0
root_path: C:\Windows\system32
total_number_of_bytes: 0
1 1 0
regkey .*Kingsoft
file C:\Program Files (x86)\k52zip\api-ms-win-core-console-l1-1-0.dll
file C:\Program Files (x86)\k52zip\api-ms-win-core-datetime-l1-1-0.dll
file C:\Users\test22\AppData\Local\ShiningZip\SZipService.exe
file C:\Program Files (x86)\fastpdf\msvcr100.dll
file C:\Program Files (x86)\fastpdf\imageformats\qicns.dll
file C:\Program Files (x86)\k52zip\kzip_ext64.dll
file C:\Program Files (x86)\fastpdf\aspose.slides.dll
file C:\Program Files (x86)\fastpdf\qt5network.dll
file C:\Program Files (x86)\fastpdf\kpdftoolutil.dll
file C:\Program Files (x86)\fastpdf\kinst.exe
file C:\Users\test22\AppData\Local\Temp\nshA618.tmp\NSISdl.dll
file C:\Program Files (x86)\fastpdf\fphelper.exe
file C:\Program Files (x86)\k52zip\update.exe
file C:\Program Files (x86)\k52zip\kinst.exe
file C:\Users\test22\AppData\Local\ShiningZip\SZipExplorer64.dll
file C:\Program Files (x86)\fastpdf\msvcp140.dll
file C:\Users\test22\AppData\Local\ShiningZip\SZipMd5Tool.exe
file C:\Program Files (x86)\fastpdf\libegl.dll
file C:\Program Files (x86)\fastpdf\pdfconverter.exe
file C:\Program Files (x86)\fastpdf\api-ms-win-crt-convert-l1-1-0.dll
file C:\Program Files (x86)\k52zip\kfastpic\kfastpicutil64.dll
file C:\Program Files (x86)\fastpdf\api-ms-win-crt-time-l1-1-0.dll
file C:\Program Files (x86)\fastpdf\plugins\sqldrivers\qsqlite.dll
file C:\Program Files (x86)\fastpdf\kvipsdk.dll
file C:\Users\test22\AppData\Local\ShiningZip\SZipRetainSvr.dll
file C:\Program Files (x86)\k52zip\api-ms-win-core-processthreads-l1-1-0.dll
file C:\Program Files (x86)\fastpdf\pdfupdate.exe
file C:\Program Files (x86)\k52zip\api-ms-win-core-localization-l1-2-0.dll
file C:\Program Files (x86)\k52zip\api-ms-win-crt-string-l1-1-0.dll
file C:\Program Files (x86)\fastpdf\api-ms-win-core-file-l1-2-0.dll
file C:\Program Files (x86)\fastpdf\fpprotect.exe
file C:\Program Files (x86)\k52zip\api-ms-win-core-memory-l1-1-0.dll
file C:\Program Files (x86)\k52zip\api-ms-win-core-string-l1-1-0.dll
file C:\Program Files (x86)\k52zip\msvcp140.dll
file C:\Users\test22\AppData\Local\ShiningZip\ZipCnu.dll
file C:\Users\test22\AppData\Local\LnockRarsly\LnockRarsly.exe
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\雷神压缩\启动雷神压缩.lnk
file C:\Program Files (x86)\k52zip\api-ms-win-crt-math-l1-1-0.dll
file C:\Program Files (x86)\fastpdf\api-ms-win-crt-heap-l1-1-0.dll
file C:\Program Files (x86)\k52zip\ucrtbase.dll
file C:\Program Files (x86)\fastpdf\imageformats\qjpeg.dll
file C:\Program Files (x86)\fastpdf\imageformats\qwebp.dll
file C:\Program Files (x86)\fastpdf\msvcr80.dll
file C:\Program Files (x86)\k52zip\kdumprep.exe
file C:\Users\test22\AppData\Local\Temp\nshA618.tmp\NsisCrypt.dll
file C:\Program Files (x86)\k52zip\api-ms-win-core-timezone-l1-1-0.dll
file C:\Users\test22\AppData\Local\ShiningZip\SZipConfig.exe
file C:\Program Files (x86)\k52zip\vccorlib140.dll
file C:\Program Files (x86)\fastpdf\msvcrt.dll
file C:\Program Files (x86)\k52zip\api-ms-win-core-synch-l1-2-0.dll
Time & API Arguments Status Return Repeated

CreateServiceW

 service_start_name:
start_type: 2
password:
display_name: FastPDFSvc
filepath: C:\Program Files (x86)\fastpdf\fpprotect.exe
service_name: FastPDFSvc
filepath_r: C:\Program Files (x86)\fastpdf\fpprotect.exe
desired_access: 50
service_handle: 0x007153d8
error_control: 1
service_type: 16
service_manager_handle: 0x006b4228
1 7427032 0

CreateServiceW

 service_start_name:
start_type: 2
password:
display_name: ${APPNAME}驱动程序
filepath: C:\Users\test22\AppData\Roaming\雷神压缩\ThorzipVirtualCD64.sys
service_name: ThorZipVirtualCD
filepath_r: C:\Users\test22\AppData\Roaming\雷神压缩\ThorzipVirtualCD64.sys
desired_access: 983551
service_handle: 0x003f24f0
error_control: 1
service_type: 1
service_manager_handle: 0x003f1fc8
1 4138224 0

CreateServiceW

 service_start_name:
start_type: 2
password:
display_name: thorzip_update_service
filepath: C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k thorzip_updatesvc
service_name: thorzip_update_service
filepath_r: %SystemRoot%\System32\svchost.exe -k thorzip_updatesvc
desired_access: 983551
service_handle: 0x003b67a0
error_control: 0
service_type: 16
service_manager_handle: 0x003f5af0
1 3893152 0

CreateServiceW

 service_start_name:
start_type: 2
password:
display_name: szpsrv
filepath: C:\Users\test22\AppData\Local\ShiningZip\SZipService.exe -3ba07688d9f4
service_name: szpsrv
filepath_r: C:\Users\test22\AppData\Local\ShiningZip\SZipService.exe -3ba07688d9f4
desired_access: 983551
service_handle: 0x008690b8
error_control: 1
service_type: 272
service_manager_handle: 0x008694f0
1 8818872 0

CreateServiceW

 service_start_name:
start_type: 2
password:
display_name: szpsrvr
filepath: C:\Windows\SysWOW64\svchost.exe -k szpsrvrGroup
service_name: szpsrvr
filepath_r: C:\Windows\SysWOW64\svchost.exe -k szpsrvrGroup
desired_access: 983551
service_handle: 0x00860c30
error_control: 1
service_type: 32
service_manager_handle: 0x00860c80
1 8784944 0

CreateServiceW

 service_start_name:
start_type: 2
password:
display_name: kzipservice
filepath: C:\Program Files (x86)\k52zip\kzipservice.exe
service_name: kzipservice
filepath_r: C:\Program Files (x86)\k52zip\kzipservice.exe
desired_access: 50
service_handle: 0x003c41a8
error_control: 1
service_type: 16
service_manager_handle: 0x003b3450
1 3948968 0
file C:\Users\Public\Desktop\网吧语音大师 8.5.lnk
file C:\Users\test22\Desktop\集成菜单.lnk
file C:\Users\Public\Desktop\电脑管家.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\腾讯QQ.lnk
file C:\Users\test22\Desktop\迅闪游戏菜单.lnk
file C:\Users\Public\Desktop\腾讯视频.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\雷神压缩\启动雷神压缩.lnk
file C:\Users\test22\Desktop\简单网管(EasyCafe).lnk
file C:\Users\test22\Desktop\驱动人生5.lnk
file C:\Users\test22\Desktop\网吧管理专家服务端2.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sidebar.lnk
file C:\Users\Public\Desktop\集成菜单.lnk
file C:\Users\test22\Desktop\WPS文字.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\한컴 사전.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\52好压\卸载52好压.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file C:\Users\Public\Desktop\网吧管理专家服务端2.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\搜狗高速浏览器.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Fax and Scan.lnk
file C:\Users\Public\Desktop\360驱动大师.lnk
file C:\Users\Public\Desktop\闪压缩.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\暴风影音5.lnk
file C:\Users\Public\Desktop\迅闪游戏菜单.lnk
file C:\Users\Public\Desktop\QQ旋风.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\XPS Viewer.lnk
file C:\Users\Public\Desktop\爱酷网吧电影 控制台.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EditPlus.lnk
file C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\雷神压缩\启动雷神压缩.lnk
file C:\Users\test22\Desktop\易家乐好用平台.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\驱动人生5.lnk
file C:\Users\test22\Desktop\360安全卫士.lnk
file C:\Users\test22\Desktop\酷狗音乐.lnk
file C:\Users\test22\Desktop\QQ游戏.lnk
file C:\Users\test22\Desktop\QQ旋风.lnk
file C:\Users\Public\Desktop\核心服务端.lnk
file C:\Users\test22\Desktop\µãµã×ÀÃæ.lnk
file C:\Users\test22\Desktop\网吧语音大师 8.5.lnk
file C:\Users\test22\Desktop\QQ音乐.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360安全浏览器6.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\360安全卫士.lnk
file C:\Users\Public\Desktop\360安全浏览器6.lnk
file C:\Users\test22\Desktop\启动迅雷7.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\QQ浏览器.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\酷狗音乐.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\驱动精灵.lnk
file C:\Users\test22\Desktop\360安全浏览器6.lnk
cmdline regsvr32.exe /s /u C:\Users\test22\AppData\Roaming\雷神压缩\ThorHelp64.dll
cmdline regsvr32.exe /s /u C:\Users\test22\AppData\Roaming\雷神压缩\ThorService.dll
cmdline regsvr32.exe /s /u C:\Users\test22\AppData\Roaming\PhotoViewer\ShellExt64.dll
cmdline regsvr32.exe /s C:\Users\test22\AppData\Roaming\雷神压缩\ThorHelp64.dll
cmdline regsvr32.exe /s "C:\Users\test22\AppData\Local\ShiningZip\ZipCnu64.dll"
cmdline regsvr32.exe /s /u C:\Users\test22\AppData\Roaming\PhotoViewer\PVShellExt64.dll
cmdline regsvr32.exe /s /u C:\Users\test22\AppData\Roaming\PhotoViewer\Checker.dll
cmdline regsvr32.exe /s /u C:\Users\test22\AppData\Roaming\雷神压缩\ThorShell64.dll
cmdline "C:\Windows\System32\regsvr32.exe" /s "C:\Users\test22\AppData\Local\ShiningZip\ZipCnu64.dll"
cmdline regsvr32.exe /s C:\Users\test22\AppData\Roaming\雷神压缩\ThorShell64.dll
file C:\Users\test22\AppData\Local\ShiningZip\SZipMd5Tool.exe
file C:\Program Files (x86)\fastpdf\fastpdf_ext_process.exe
file C:\Program Files (x86)\k52zip\krecommend.exe
file C:\Users\test22\AppData\Roaming\ClickDesktop\zmxzs.exe
file C:\Users\test22\AppData\Local\Temp\syzs03_1000219144.exe
file C:\Users\test22\AppData\Local\ShiningZip\ShiningZip.exe
file C:\Users\test22\AppData\Local\Temp\nsaFCA9.tmp\INetC.dll
file C:\Users\test22\AppData\Local\Temp\leishenzip_247915520_tiangua_001.exe
file C:\Users\test22\AppData\Local\ShiningZip\SZipGUI.exe
file C:\Users\test22\AppData\Local\ShiningZip\SZipExplorer.dll
file C:\Users\test22\AppData\Local\Temp\Setup_10011.exe
file C:\Users\test22\AppData\Roaming\ClickDesktop\DuiLib.dll
file C:\Users\test22\AppData\Local\ShiningZip\ShiningZip.dll
file C:\Users\test22\AppData\Roaming\ClickDesktop\AutoRemind.exe
file C:\Users\test22\AppData\Local\ShiningZip\ZipCnu.dll
file C:\Users\test22\AppData\Roaming\ClickDesktop\uninst.exe
file C:\Users\test22\AppData\Local\ShiningZip\SZipUpdate.exe
file C:\Users\test22\AppData\Local\ShiningZip\SZipMPage.exe
file C:\Users\test22\AppData\Local\Temp\k52zip20210520-220-21.exe
file C:\Users\test22\AppData\Local\ShiningZip\SZipTray.exe
file C:\Users\test22\AppData\Local\Temp\FlashZip_2710.exe
file C:\Users\test22\AppData\Local\ShiningZip\SZipCode.dll
file C:\Users\test22\AppData\Local\Temp\Fastpdf_setup_ver21042017.420.1.1.1.exe
file C:\Users\test22\AppData\Local\Temp\abckantu_2722097895_shouheng_001.exe
file C:\Users\test22\AppData\Local\ShiningZip\SZipRetainSvr.dll
file C:\Users\test22\AppData\Local\Temp\nsaFCA9.tmp\NSISdl.dll
file C:\Users\test22\AppData\Local\LnockRarsly\LnockRarsly.exe
file C:\Users\test22\AppData\Local\ShiningZip\SZipService.exe
file C:\Users\test22\AppData\Local\ShiningZip\SZipCore.dll
file C:\Users\test22\AppData\Local\ShiningZip\SZipConfig.exe
file C:\Users\test22\AppData\Local\Temp\OfficeDownloaderInstall_0_100016_lanshan.exe
file C:\Users\test22\AppData\Local\Temp\nsaFCA9.tmp\System.dll
file C:\Users\test22\AppData\Local\Tencent\TxGameAssistant\TGBDownloader\dr.dll
file C:\Users\test22\AppData\Local\ShiningZip\UnInstall.exe
file C:\Users\test22\AppData\Local\Temp\nsaFCA9.tmp\NsisCrypt.dll
file C:\Users\test22\AppData\Local\ShiningZip\SZipOverlayIcon.dll
file C:\Users\test22\AppData\Local\ShiningZip\SZipMd5Tool.exe
wmi SELECT * FROM Win32_VideoController
wmi SELECT * FROM Win32_OnBoardDevice
wmi SELECT * FROM Win32_NetworkAdapter WHERE (MACAddress IS NOT NULL)
wmi SELECT * FROM Win32_ComputerSystemProduct
wmi SELECT * FROM Win32_MemoryDevice
wmi SELECT * FROM Win32_UserAccount
wmi SELECT * FROM Win32_LogicalDisk WHERE (FileSystem IS NOT NULL)
wmi SELECT SerialNumber FROM Win32_BIOS
wmi SELECT * FROM Win32_BIOS
wmi SELECT * FROM Win32_DiskDrive WHERE MediaType LIKE 'Fixed hard disk%'
wmi SELECT * FROM Win32_SoundDevice
wmi SELECT * FROM Win32_DesktopMonitor
wmi SELECT * FROM Win32_Processor
wmi SELECT * FROM Win32_BaseBoard
wmi SELECT * FROM Win32_Keyboard
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\ShiningZip\SZipMd5Tool.exe
parameters: -e61475c863c7=27 -c9c0eef9ccd6=LCWNYmzoMeWFUU0CM2Dtga35YuzOEd3hN6CIB20FaUT10MxhIaCtAGtPOMDxEPyeMSm2ET0QMbW2FqhSNiGtFdl6IoCU0j1HZsj4ZsmYNu2YI25oZFmfYXybYnmgMH9ZUXGJlPhUbemG9CT8YJ3JJ7h3caCk5NlZeLG9Uu=y -2596b1ef9f0a=27
filepath: C:\Users\test22\AppData\Local\ShiningZip\SZipMd5Tool.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: regsvr32.exe
parameters: /s "C:\Users\test22\AppData\Local\ShiningZip\ZipCnu64.dll"
filepath: regsvr32.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\ShiningZip\SZipMd5Tool.exe
parameters: -e61475c863c7=27 -c9c0eef9ccd6=LCTNgm1oYejFcU4CZ2Dthaj5ZujOZdmhN6yIA2tFMUj1IMyhYaTtQG4PNMmxNPkeMSz2NTkQPbT2Aq=S -2596b1ef9f0a=27
filepath: C:\Users\test22\AppData\Local\ShiningZip\SZipMd5Tool.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Program Files (x86)\k52zip\krecommend.exe
parameters: /product:11 /type:1 /sence:1
filepath: C:\Program Files (x86)\k52zip\krecommend.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Users\test22\AppData\Local\ShiningZip\SZipMd5Tool.exe
parameters: -e61475c863c7=27 -c9c0eef9ccd6=LCTNgm1oYejFcU4CZ2Dthaj5ZujOZdmhN6yIA2tFMUj1IMyhYaTtQG4PNMmxNPkeMSz2NTkQPbT2Iq=S -2596b1ef9f0a=27
filepath: C:\Users\test22\AppData\Local\ShiningZip\SZipMd5Tool.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000014c
process_name: pw.exe
process_identifier: 4360
1 1 0

Process32NextW

 snapshot_handle: 0x0000014c
process_name: taskhost.exe
process_identifier: 8492
1 1 0

Process32NextW

 snapshot_handle: 0x0000014c
process_name: PianoScrap.exe
process_identifier: 3576
1 1 0

Process32NextW

 snapshot_handle: 0x0000014c
process_name: syzs03_1000219144.exe
process_identifier: 7204
1 1 0

Process32NextW

 snapshot_handle: 0x0000014c
process_name: Fastpdf_setup_ver21042017.420.1.1.1.exe
process_identifier: 7664
1 1 0

Process32NextW

 snapshot_handle: 0x0000014c
process_name: leishenzip_247915520_tiangua_001.exe
process_identifier: 5960
1 1 0

Process32NextW

 snapshot_handle: 0x0000020c
process_name: FlashZip_2710.exe
process_identifier: 8300
1 1 0

Process32NextW

 snapshot_handle: 0x0000020c
process_name: OfficeDownloaderInstall_0_100016_lanshan.exe
process_identifier: 5572
1 1 0

Process32NextW

 snapshot_handle: 0x0000020c
process_name: WMIC.exe
process_identifier: 4744
1 1 0

Process32NextW

 snapshot_handle: 0x0000020c
process_name: conhost.exe
process_identifier: 7304
1 1 0

Process32NextW

 snapshot_handle: 0x0000020c
process_name: Setup_10011.exe
process_identifier: 9060
1 1 0

Process32NextW

 snapshot_handle: 0x0000020c
process_name: WmiPrvSE.exe
process_identifier: 3252
1 1 0

Process32NextW

 snapshot_handle: 0x00000384
process_name: fpprotect.exe
process_identifier: 2540
1 1 0

Process32NextW

 snapshot_handle: 0x00000384
process_name: SZipService.exe
process_identifier: 8696
1 1 0

Process32NextW

 snapshot_handle: 0x00000384
process_name: svchost.exe
process_identifier: 8832
1 1 0

Process32NextW

 snapshot_handle: 0x00000384
process_name: SZipMd5Tool.exe
process_identifier: 6664
1 1 0

Process32NextW

 snapshot_handle: 0x00000384
process_name: SZipTray.exe
process_identifier: 3028
1 1 0

Process32NextW

 snapshot_handle: 0x00000384
process_name: k52zip20210520-220-21.exe
process_identifier: 8348
1 1 0

Process32NextW

 snapshot_handle: 0x00000384
process_name: SearchFilterHost.exe
process_identifier: 4140
1 1 0

Process32NextW

 snapshot_handle: 0x00000384
process_name: svchost.exe
process_identifier: 5088
1 1 0

Process32NextW

 snapshot_handle: 0x00000384
process_name: LnockRarsly.exe
process_identifier: 1488
1 1 0

Process32NextW

 snapshot_handle: 0x00000384
process_name: kzipservice.exe
process_identifier: 2072
1 1 0

Process32NextW

 snapshot_handle: 0x000001f0
process_name: kzip_casual64.exe
process_identifier: 7792
1 1 0

Process32NextW

 snapshot_handle: 0x000001f0
process_name: conhost.exe
process_identifier: 3496
1 1 0

Process32NextW

 snapshot_handle: 0x000001f0
process_name: krecommend.exe
process_identifier: 6216
1 1 0

Process32NextW

 snapshot_handle: 0x00000154
process_name: abckantu_2722097895_shouheng_001.exe
process_identifier: 5112
1 1 0
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 5960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 724992
protection: 32 (PAGE_EXECUTE_READ)
base_address: 0x10001000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeShutdownPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000020c
process_name: WmiPrvSE.exe
process_identifier: 3252
0 0

Process32NextW

 snapshot_handle: 0x0000020c
process_name: WmiPrvSE.exe
process_identifier: 3252
0 0

Process32NextW

 snapshot_handle: 0x0000020c
process_name: WmiPrvSE.exe
process_identifier: 3252
0 0

Process32NextW

 snapshot_handle: 0x0000020c
process_name: WmiPrvSE.exe
process_identifier: 3252
0 0

Process32NextW

 snapshot_handle: 0x0000020c
process_name: WmiPrvSE.exe
process_identifier: 3252
0 0

Process32NextW

 snapshot_handle: 0x0000020c
process_name: WmiPrvSE.exe
process_identifier: 3252
0 0

Process32NextW

 snapshot_handle: 0x0000020c
process_name: WmiPrvSE.exe
process_identifier: 3252
0 0

Process32NextW

 snapshot_handle: 0x0000020c
process_name: WmiPrvSE.exe
process_identifier: 3252
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x000002f0
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x000002f0
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x000002f0
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x000002f0
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x000002f0
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x000002f0
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x000002f0
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x000002f0
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x000002f0
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x000002f0
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x000002f0
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x000002f0
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x000002f0
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x000002f0
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x000002f0
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x000002f0
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x000002f0
process_name: kzipservice.exe
process_identifier: 2072
0 0

Process32NextW

 snapshot_handle: 0x00000380
process_name: kzipservice.exe
process_identifier: 2072
0 0
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Match Windows Http API call rule Str_Win32_Http_API
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
Time & API Arguments Status Return Repeated

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\lszip
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\lszip
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\lszip
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\lszip
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\lszip
base_handle: 0x80000002
key_handle: 0x0000047c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\lszip
1 0 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
2 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
2 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00020019
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
2 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
2 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
2 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00020019
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
2 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
2 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
2 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00020019
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00000109
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00000109
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00000109
regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00000109
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360B0B2C8ABCEC0CABF
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00000109
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360B0B2C8ABCEC0CABF
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360B0B2C8ABCEC0CABF
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00000109
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360B0B2C8ABCEC0CABF
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360B0B2C8ABCEC0CABF
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00000109
regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360B0B2C8ABCEC0CABF
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360B0B2C8ABCEC0CABF
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00000109
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360B0B2C8ABCEC0CABF
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360SD
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00000109
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360SD
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00000109
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360SD
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00000109
regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360SD
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
base_handle: 0x80000001
key_handle: 0x00000000
options: 0
access: 0x00000109
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\360SD
2 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
base_handle: 0x80000002
key_handle: 0x000003b0
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
1 0 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
base_handle: 0xffffffff80000002
key_handle: 0x0000000000000000
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
2 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
base_handle: 0xffffffff80000002
key_handle: 0x0000000000000138
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fastpdf
base_handle: 0xffffffff80000002
key_handle: 0x000000000000008c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fastpdf
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fastpdf
base_handle: 0xffffffff80000002
key_handle: 0x000000000000008c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fastpdf
1 0 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
base_handle: 0x80000002
key_handle: 0x0000017c
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
1 0 0

RegOpenKeyExW

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
base_handle: 0x80000002
key_handle: 0x00000194
options: 0
access: 0x00020019
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ShiningZip
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fastpdf
base_handle: 0xffffffff80000002
key_handle: 0x000000000000008c
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fastpdf
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fastpdf
base_handle: 0x80000002
key_handle: 0x000000ac
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fastpdf
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fastpdf
base_handle: 0x80000002
key_handle: 0x000000c8
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fastpdf
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fastpdf
base_handle: 0x80000002
key_handle: 0x000000dc
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fastpdf
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fastpdf
base_handle: 0x80000002
key_handle: 0x000000d8
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fastpdf
1 0 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fastpic
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fastpic
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{052CFB79-9D62-42E3-8A15-DE66C2C97C3E}
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\liebao
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQBrowser
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQBrowser
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQBrowser
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQBrowser
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQMusic
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQMusic
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQMusic
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQMusic
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\StormPlayer
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\StormPlayer
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\StormPlayer
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\StormPlayer
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\qqlive
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\qqlive
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\qqlive
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020119
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\qqlive
2 0

RegOpenKeyExW

 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQ游戏
base_handle: 0x80000002
key_handle: 0x00000000
options: 0
access: 0x00020219
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQ游戏
2 0
Time & API Arguments Status Return Repeated

InternetOpenA

 proxy_name:
proxy_bypass:
flags: 0
user_agent: NSIS_Inetc (Mozilla)
access_type: 1
1 13369348 0
cmdline sc create LnockRarsly binpath= "C:\Users\test22\AppData\Local\LnockRarsly\LnockRarsly.exe" DisplayName= "LnockRarsly Service" start= auto
cmdline sc description LnockRarsly ""
cmdline SC start LnockRarsly
wmi SELECT * FROM Win32_Processor
wmi SELECT * FROM Win32_LogicalDisk WHERE (FileSystem IS NOT NULL)
wmi SELECT SerialNumber FROM Win32_BIOS
wmi SELECT * FROM Win32_BIOS
wmi SELECT * FROM Win32_ComputerSystemProduct
host 172.217.25.14
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE
Time & API Arguments Status Return Repeated

EnumServicesStatusW

 service_handle: 0x0000000008d2ad50
service_type: 59
service_status: 1
0 0
service_name FastPDFSvc service_path C:\Program Files (x86)\fastpdf\fpprotect.exe
service_name ThorZipVirtualCD service_path C:\Users\test22\AppData\Roaming\雷神压缩\ThorzipVirtualCD64.sys
service_name thorzip_update_service service_path C:\Users\test22\AppData\Local\Temp\%SystemRoot%\System32\svchost.exe -k thorzip_updatesvc
reg_key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\thorzip_update_service\Parameters\ServiceDll reg_value C:\Users\test22\AppData\Roaming\雷神压缩\ThorService.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0af4c9cd-825f-5677-8e7d-856f0e27270d}\InprocServer32\(Default) reg_value C:\Users\test22\AppData\Local\ShiningZip\SZipExplorer64.dll
service_name szpsrv service_path C:\Users\test22\AppData\Local\ShiningZip\SZipService.exe -3ba07688d9f4
service_name szpsrvr service_path C:\Windows\SysWOW64\svchost.exe -k szpsrvrGroup
reg_key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\szpsrvr\Parameters\ServiceDll reg_value C:\Users\test22\AppData\Roaming\zipstonh\SZipRetainSvr.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7660b6a6-0bf7-5252-be80-c2149103ef9c}\InprocServer32\(Default) reg_value C:\Windows\system32\SZipOverlayIcon64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5c4e71b1-07d9-568f-8838-8516212e1a8e}\InprocServer32\(Default) reg_value C:\Users\test22\AppData\Local\ShiningZip\SZipExplorer64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5c4e71b1-07d9-568f-8838-8516212e1a8e}\InprocServer32\(Default) reg_value C:\Users\test22\AppData\Local\ShiningZip\ZipCnu64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{60D7BB01-CD27-4D13-AE76-17BD82A461E5}\InprocServer32\(Default) reg_value C:\Program Files (x86)\fastpdf\fastpdf_ext64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{60D7BB01-CD27-4D13-AE76-17BD82A461E5}\InprocServer32\(Default) reg_value C:\Program Files (x86)\fastpdf\fastpdf_ext64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E1E3163A-D2B0-4C20-A859-1B420ECB881A}\InprocServer32\(Default) reg_value C:\Users\test22\AppData\Roaming\雷神压缩\ThorShell64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{43154B4E-0C2B-41C9-844E-A422C994EE17}\InprocServer32\(Default) reg_value C:\Users\test22\AppData\Roaming\雷神压缩\ThorShell64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{60D7BB01-CD27-4D13-AE76-17BD82A461E5}\InprocServer32\(Default) reg_value C:\Program Files (x86)\fastpdf\fastpdf_ext64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{60D7BB01-CD27-4D13-AE76-17BD82A461E5}\InprocServer32\(Default) reg_value C:\Program Files (x86)\fastpdf\fastpdf_ext64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{60D7BB01-CD27-4D13-AE76-17BD82A461E5}\InprocServer32\(Default) reg_value C:\Program Files (x86)\fastpdf\fastpdf_ext64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{60D7BB01-CD27-4D13-AE76-17BD82A461E5}\InprocServer32\(Default) reg_value C:\Program Files (x86)\fastpdf\fastpdf_ext64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C1005413-92D1-4B52-811C-37C5554BC0D2}\InprocServer32\(Default) reg_value C:\Users\test22\AppData\Roaming\雷神压缩\ThorHelp64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5D26A5C8-E94B-44d3-A027-9DF32468F8E7}\InprocServer32\(Default) reg_value C:\Program Files (x86)\fastpdf\kpdfmenu64.dll
service_name kzipservice service_path C:\Program Files (x86)\k52zip\kzipservice.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5D26A5C8-E94B-44d3-A027-9DF32468F8E7}\InprocServer32\(Default) reg_value C:\Program Files (x86)\fastpdf\kpdfmenu64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5D26A5C8-E94B-44d3-A027-9DF32468F8E7}\InprocServer32\(Default) reg_value C:\Program Files (x86)\fastpdf\kpdfmenu64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6B4DFEAB-4A11-45B9-A2D9-E12ABCD71A4E}\InprocServer32\(Default) reg_value C:\Program Files (x86)\k52zip\kzip_ext64.dll
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B1832224-9F22-4965-A6E8-E6A6E3C4FDF7}\InprocServer32\(Default) reg_value C:\Program Files (x86)\k52zip\kzip_ext64.dll
file C:\Windows\Tasks\ThorUpdate.job
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\krecommend.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\krecommend.exe
Time & API Arguments Status Return Repeated

RegSetValueExW

 key_handle: 0x0000000000002b18
regkey_r: shellext64
reg_type: 3 (REG_BINARY)
value: GIF89aæMÕ7HЅ/y¹žQn”@×Vf€Â7ðÈÍàs€•?a¡SñôöÒ0Dè½Æm9Ä(<Ì*>e‹3ßWgÐ3K ½Ù6IЅ8ÂÓÜm˜GœIg‹ˆ$¦aÅ%:]Ž‘i…ƒÑ….þôïò¸D÷̎ôÄ\ô®röŠ÷íáó³^“ÕøøóóÇ8”ÖþôîöÁ¹Î­ †Ç”Ôþóìð? ˆÈòÆ2öŕ¶Ö¸óÝ#ÐûèÖñÄ$Í/AÞ?OÄ(;|º£ZÓ<R•×šØ Î N݄.—A§[†Å6ÿÿÿ!ÿ XMP DataXMP<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c145 79.163499, 2018/08/13-16:40:22 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC 2019 (Macintosh)" xmpMM:InstanceID="xmp.iid:46EE2F1498D511EA8D3AB0601A219851" xmpMM:DocumentID="xmp.did:46EE2F1598D511EA8D3AB0601A219851"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:05AFCB0998B911EA8D3AB0601A219851" stRef:documentID="xmp.did:05AFCB0A98B911EA8D3AB0601A219851"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>ÿþýüûúùø÷öõôóòñðïîíìëêéèçæåäãâáàßÞÝÜÛÚÙØ×ÖÕÔÓÒÑÐÏÎÍÌËÊÉÈÇÆÅÄÃÂÁÀ¿¾½¼»º¹¸·¶µ´³²±°¯®­¬«ª©¨§¦¥¤£¢¡ Ÿžœ›š™˜—–•”“’‘ŽŒ‹Š‰ˆ‡†…„ƒ‚€~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=<;:9876543210/.-,+*)('&%$#"!  !ùM,Ā-Cƒƒ„*MM:D GG D2M5E››“œ›1J¥¥ “ ¦¥@¯@ °@B¼BL/%'½B>ÉL36,;LÉ>× L$9<&L ×=åL7#)LLå=?ó.4"Ló?AéÅ À ‰C‡ÐðÐ!ƒ F2f$0‰€ÆŒ 9Â$$G*8°¤eË !BLpÙò£›8s2 ;M†TÅ-†ü£\óè¤.€ß„ ƒËÉíBw?¯‰tßÚp{ø܏$¨g´Þò>7<ÀGA\UÀ®Ý#lŽª ”³ÍÕ¸¹Uq>¤GÄ[éÏœqJ+¥w—!®ZžàC„rí=P\ú6‰eà©ÀÉòÿñ9R2yä†^®s‡wÃ×=Q;KbYa„Uìîҟi!J„ €ÜT † ‚â«ë_ ,¯Ï7¶µü}õŠZD20L.~¯gÃ98'f[o︾æe†> íÿêysT="Üu(Ç.l\‡-C]¢çV— )¦8” ÞÑHßÕX©0<Ö&V‚˜Qmíƒ<ÚÍi Mvö ? ¨¾‚ UbÁ`”¼—À.{%y.y™1¾áv‹ÆkéA^ 6kz½à ‹•mYÈWG¶vt¾K'AÕ»è94™›ê&jýŸ:îír<†`mz¤²~xÓáȆà¹Whƒ@u€ ›%hô”Ö™7(GŽ³š"[6ü%çÃh:OF5Áz—•îm—‡ì.·¿} ’…Œ£'¸N`äþn$¶Œ¤ºGìä/‘G$AtŠ·ÜK¨nX­¦]Ÿ…¶§A ћRKÂZûLºD2E©úڟ‰´É|“šeò{›«[ wÚ.*мo}9©_è®AZ„ªÖ%ãÊø ”|‰¡ò(2 ÉÙµ\÷–JSOH ¦õ iÍq¸éÆo{ühŠÕJì^¢È-l€ÙkEðfH˒®ØYæ·¯‹Þ´ï³ñ#·è§ïYÜk°:{ ÆýœPØ6GRüÃZçê|φe>M¸}óÕY@ʒÒXÍ"‰ý±£“)O^aÈûö"³PŒüä…æF»$‹aF‚=p ´Mú`¥@q¹9M¨“™#h™® eä?xyXßX` 3WÝM$ó ÀF:úIôA’0 Ô· bí$}¹[†$ 5øE­F$Ö]ˌmÈG|JçUˆ\‚‡rRŽ©‚VT³»œËN.Š­=ß@¥ BǜŠN¢j±.ý³uA5‚¦dÕm¶¿½Ñ²Ô糧øì&´-åbٚpñ#ä8Ï«%J€ï{1üq%ؾÇ2éx:bÀ…âël‚"îZŒkÚoQ¤6É$vl͂ƒtµÉÃï $bï€d½ct«mú£¯T‘ÙòÜÑü[ø…O›O+ä—~YfeÑÅ1ÄAÌàQ³`¤ø Y¥Â4Z¹éwãe '³Ã!èÙ®`s3ñN±dõë©PIÕ­÷‚÷Ÿ÷îÃJY‡´¿ÑB¥®£õéÖÆÓ3:¬¬Èî皼$J&X¿NøŽªîvÃ|g²*¸©æÙÙֆämë÷-t,ÎS¯ç¢s><vX؆Zp=Aì'풮ÕXLGZçwр£t åIÝ ¹òœÝÄ¥æ}ÿÅhõìâüSâh½ÊÇÆ!-_eZëxÙís YÈö¹Uûa¿ˆËdÿTÏj6RiàÑQoú³Ó! hÓúDU«ðP¤=ࡆÔúŒL„5±É¤ò†Ã&Ö*‹{¾Ùi@ih3¥Û«7Ó€2#‘€÷¸kĂa/=VÜßF .Â9ŽfQâäKå©Éà—víÍå.6ÿ6½Ø|†`˜,/L³uü€)¡zk“ ü¤Hb„äȵÆzúŒŽ¹/@˜“oS¹iÄ6œ™{ð²÷¿Ð›¾‰ !E\h;èùKÍd¾K CÓ· ²ãFlŒ{¤A*çbdòTŒ ž}ËÐ]Hž«i›ã=|øÈú®K—Ǻ¿¾ ª}7³é}bœŽøä¹ëøË-‰ Åù[5Ô.ïLy6îR øýRVÔÌI2—™É‚ åȈç†4=$*¥äML²;{¹5{Nf@ ÑŒÎ×jÑ,0汫jS÷ùÉ ÉHFòiúd–L¼é”Jÿß}„õ_'{2 m¸…²ÖYʛ§úN{Gÿ¶¾D™Bãž7“ùô˜oŸzçÛÆbEåaøU|»‹ÁÕõ“–>qM݃Kh/Ø0Nj Üê¶ý¸ÌSM¥ƒ€n°m g|ÿó“Ä·½átàpkòçÞûmLӀþ¼i³C!b4‘B4J%"±<!¼Ï­›$§(0ÖïÎ+÷-­ùΞéjØԉÕÏV”Ø yìðælªlôçÙ}Ú <%x9ýâ€mæ_Ÿ“9Jë^u»4ß}2ÞB€ó>Þnsÿ½ýö|»÷H™Ê*É2OôXðoÙrÄßùÄuŽB'WYgÓR‰›ò{uF¹|²‡yljPaØÍI0¼ rhS¨óñWšQð<˜|QBq4H棇¼ƒ +0㗼oè#Å/ŒÌǴђ:é“æབ ƲIÂý<¬4¼¿½¤ß[¶,À‹ÀT ²$°‹Ã©…}<0[Åu·RJù‚{ý5—Íðš+¾¹Â)D° Ò´Û Ò|#žúɟˆè*́õ¨þʤó)ŠšTDtafÒÚ×[ÝZ#õcZ6N»9Þ½7)±€´î‘X)Ò¢",Bf†è |„¸“ŽëÙ!_Iÿ Ã®|¥GÜ\Ÿðn âçÒ!b 0ˆ*%Ò5€ñ3†ÈÖ;7q§›'föIÿRµŸ™n°³¸×ümc%Ŋ—µ™¶­ä8ïJþcí»Ëo¿æQG€K: ™ 2ÔÁ|ÂX"zˆ|Òèÿgà¡£, xª^Žn >W ^¬Í3ú¨êž";҈H×s_ºg´±ðt²](×H$Ù¼˼E7î®mނý#y\ 6nûbäi8€ðˆí5+Šº+táR®ƒiñv£4ÔÜMØ+«ª»ÜÖôþ‡\ú­_s ÔKbYEÎEœ8¨Æ¬¾†ÑŽ¢òýv÷1Ôl7—&]Ý\?UÝü϶«&_Ð\…®ØÜÒûø+_)Ët”!K(RïnÒ<ÊÛö3í»›E¿‹ü¢—ù$þ ¾0†*“ä$m§»í„1∰{½è RÉbÆ[ƒ‰;x9:Œ×Þ91ñ¶!èÙ2m ;Hd“I dLu^Îü&ñ^QF\i£ËEH‚ñµ«óß}ÿòP„†Ø½&Ëpšß9E§ÿNßø*iA€ÓÒ=š_j}
regkey: HKEY_CURRENT_USER\Software\lszip\born\shellext64
1 0 0
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000002a8
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0

RegSetValueExA

 key_handle: 0x00000268
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0

RegSetValueExA

 key_handle: 0x00000284
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
Time & API Arguments Status Return Repeated

NtCreateFile

 create_disposition: 1 (FILE_OPEN)
file_handle: 0x00000190
filepath: \??\PhysicalDrive0
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
filepath_r: \??\PhysicalDrive0
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 1 (FILE_OPENED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
1 0 0

NtCreateFile

 create_disposition: 1 (FILE_OPEN)
file_handle: 0x0000018c
filepath: \??\PhysicalDrive0
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
filepath_r: \??\PhysicalDrive0
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 1 (FILE_OPENED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
1 0 0

DeviceIoControl

 input_buffer:
control_code: 2954240 ()
device_handle: 0x00000204
output_buffer: (§Lu~ $ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42566234393262373030372d6533656331322036
1 1 0
Time & API Arguments Status Return Repeated

InternetConnectA

 username:
service: 3
hostname: www.baidu.com
internet_handle: 0x0000000000cc0004
flags: 0
password:
port: 443
1 13369352 0

connect

 ip_address: 119.63.197.151
socket: 8660
port: 443
-1 0

InternetConnectA

 username:
service: 3
hostname: down1.thorzip.muxin.fun
internet_handle: 0x0000000000cc0004
flags: 0
password:
port: 80
1 13369352 0

connect

 ip_address: 36.248.43.220
socket: 7436
port: 80
-1 0

InternetConnectA

 username:
service: 3
hostname: www.baidu.com
internet_handle: 0x0000000000cc0004
flags: 0
password:
port: 443
1 13369352 0

connect

 ip_address: 119.63.197.151
socket: 2688
port: 443
-1 0

InternetConnectA

 username:
service: 3
hostname: report.thorzip.muxin.fun
internet_handle: 0x0000000000cc0004
flags: 0
password:
port: 80
1 13369352 0

InternetConnectA

 username:
service: 3
hostname: api.mxgcat.wang
internet_handle: 0x0000000000cc0004
flags: 0
password:
port: 80
1 13369352 0

connect

 ip_address: 119.39.80.117
socket: 2688
port: 80
-1 0

InternetCrackUrlW

 url: http://api.mxgcat.wang/84e3aa4c7cb77c6933867ee34cb49c32.md5
flags: -2147483648
1 1 0

InternetConnectW

 username:
service: 3
hostname: api.mxgcat.wang
internet_handle: 0x0000000000cc0004
flags: 134217728
password:
port: 80
1 13369352 0

HttpOpenRequestW

 connect_handle: 0x0000000000cc0008
http_version: HTTP/1.0
flags: 67109376
http_method: GET
referer:
path: /84e3aa4c7cb77c6933867ee34cb49c32.md5
1 13369356 0

InternetConnectA

 username:
service: 3
hostname: www.baidu.com
internet_handle: 0x0000000000cc0004
flags: 0
password:
port: 443
1 13369352 0

connect

 ip_address: 119.63.197.151
socket: 9380
port: 443
-1 0

InternetConnectA

 username:
service: 3
hostname: down1.thorzip.muxin.fun
internet_handle: 0x0000000000cc0004
flags: 0
password:
port: 80
1 13369352 0

connect

 ip_address: 36.248.43.220
socket: 9380
port: 80
-1 0

InternetConnectA

 username:
service: 3
hostname: www.baidu.com
internet_handle: 0x0000000000cc0004
flags: 0
password:
port: 443
1 13369352 0

connect

 ip_address: 119.63.197.151
socket: 10444
port: 443
-1 0

InternetConnectA

 username:
service: 3
hostname: report.thorzip.muxin.fun
internet_handle: 0x0000000000cc0004
flags: 0
password:
port: 80
1 13369352 0

InternetConnectA

 username:
service: 3
hostname: down1.thorzip.muxin.fun
internet_handle: 0x0000000000cc0004
flags: 0
password:
port: 80
1 13369352 0

HttpOpenRequestA

 connect_handle: 0x0000000000cc0008
http_version: HTTP/1.0
flags: -2147483648
http_method: GET
referer:
path: /shell2.json
1 13369356 0

InternetConnectA

 username:
service: 3
hostname: down1.thorzip.muxin.fun
internet_handle: 0x0000000000cc0004
flags: 0
password:
port: 80
1 13369352 0

HttpOpenRequestA

 connect_handle: 0x0000000000cc0008
http_version: HTTP/1.0
flags: -2147483648
http_method: GET
referer:
path: /logo/v1.0.0.2/ShellExtStrategyDll64.gif
1 13369356 0

connect

 ip_address: 123.56.69.34
socket: 96
port: 80
-1 0

send

 buffer: POST / HTTP/1.1 Host: mxreport.whooyan.com Accept: */* Content-Type:application/json;charset=UTF-8 Content-Length: 664 AAEAAAAAAAABBEUca7eZEx7joumZdnGWtkSRZGKbR5Z2GS6QRoGNjQCUEnwyng09Rf2DqdrQlA4DpOAtS1IB+FILbnaOlnBm4zq4zaefJv8RgCm5nOTzCBJ6V1nQW/f3FBU/IT6h6PGP2+Nr8AQs4ZXDsek1vpfQzVKRGy0/VTXRyyRvGrBjLV+VA38UVkdlgTYtK2YT/5SluxmA9gcuAzYrRn9ywnQN2diZygq6GZLslnQAQS8JcA8fphc8tL2CZPjqltuqMO2cpF2wXzxDDaN85mkn6BMuPS+u32V5aaQ+1kZz9C8GbQkAj21RWS0ifUtZULF7ysK/ltOsZYxVGvdLyoF4KVGzbNLZhPe43LYW8q2dRvfBawf5GeRed41VpGJatbUKdAf9Pxm77qOmd4IgYgHQdeHAXwFqC3iwS1bpQdhlPSMp2wcvmwMfvGRfeGTisrSrucTOVHU9AGJfD1Q23igejnlrgZvAwHrLQPMbCoE6Z9WGlWLFlcFh3haivAk0tWXr2GxqvXgAqCS5A9N5I2D7/QappyofxhGYF/clYBMLGUybvrEUlAFeeBg0kMJ3UAWTZoxECooxV0KkL9/1Q/qnElxZF6XJL+Luotw+U77kshVZivA+4Vrgrx3HhqiqP4Ik55KOY06BskM2AA==
socket: 96
sent: 790
1 790 0
process explorer.exe useragent Internal
process explorer.exe useragent
process explorer.exe useragent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
process Setup_10011.exe useragent NSIS_Inetc (Mozilla)
process abckantu_2722097895_shouheng_001.exe
process leishenzip_247915520_tiangua_001.exe
process: potential process injection target explorer.exe
file C:\Users\test22\AppData\Local\fastpdf\config.ini.lock
Process injection Process 1848 resumed a thread in remote process 3140
Process injection Process 1848 resumed a thread in remote process 9204
Process injection Process 8300 resumed a thread in remote process 1036
Process injection Process 1036 resumed a thread in remote process 1808
Process injection Process 9204 resumed a thread in remote process 5632
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000000000002f9c
suspend_count: 1
process_identifier: 3140
1 0 0

NtResumeThread

 thread_handle: 0x00000000000025f4
suspend_count: 1
process_identifier: 9204
1 0 0

NtResumeThread

 thread_handle: 0x000002dc
suspend_count: 1
process_identifier: 1036
1 0 0

NtResumeThread

 thread_handle: 0x000003e0
suspend_count: 1
process_identifier: 1808
1 0 0

NtResumeThread

 thread_handle: 0x00000304
suspend_count: 1
process_identifier: 5632
1 0 0
file \??\VBoxMiniRdrDN
dll VBoxHook.dll
registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00
registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00\3&267a616a&0&10
registry HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\PCI\VEN_80EE&DEV_BEEF&SUBSYS_00000000&REV_00\3&267A616A&0&10\Driver
file C:\Windows\System32\drivers\vpc-s3.sys
file C:\Windows\System32\drivers\vpcubus.sys
Time & API Arguments Status Return Repeated

NtQuerySystemInformation

 information_class: 76 (SystemFirmwareTableInformation)
3221225507 0
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
?AddItem@ReportHelper@business_publish@@QAEHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@HAAV?$vector@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@V?$allocator@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@@2@@4@@Z+0x48328 ??_7?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@6B@-0x2da64 k52zip20210520-220-21+0xa67e8 @ 0x4a67e8
?AddItem@ReportHelper@business_publish@@QAEHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@HAAV?$vector@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@V?$allocator@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@@2@@4@@Z+0x4d6cc ??_7?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@6B@-0x286c0 k52zip20210520-220-21+0xabb8c @ 0x4abb8c
?AddItem@ReportHelper@business_publish@@QAEHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@HAAV?$vector@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@V?$allocator@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@@2@@4@@Z+0x516af ??_7?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@6B@-0x246dd k52zip20210520-220-21+0xafb6f @ 0x4afb6f
?AddItem@ReportHelper@business_publish@@QAEHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@HAAV?$vector@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@V?$allocator@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@@2@@4@@Z+0x5369b ??_7?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@6B@-0x226f1 k52zip20210520-220-21+0xb1b5b @ 0x4b1b5b
?AddItem@ReportHelper@business_publish@@QAEHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@HAAV?$vector@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@V?$allocator@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@@2@@4@@Z+0x537ab ??_7?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@6B@-0x225e1 k52zip20210520-220-21+0xb1c6b @ 0x4b1c6b
?AddItem@ReportHelper@business_publish@@QAEHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@HAAV?$vector@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@V?$allocator@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@@2@@4@@Z+0x59140 ??_7?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@6B@-0x1cc4c k52zip20210520-220-21+0xb7600 @ 0x4b7600
??1ReportHelper@business_publish@@UAE@XZ+0x5b6 ??0?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@QAE@XZ-0x34e k52zip20210520-220-21+0x59ee2 @ 0x459ee2
??1ReportHelper@business_publish@@UAE@XZ+0x2e2 ??0?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@QAE@XZ-0x622 k52zip20210520-220-21+0x59c0e @ 0x459c0e
?BeginThreadFun@?$kxThreadBase@VLocker@kbase@@@kbase@@MAEXXZ-0x7685 k52zip20210520-220-21+0x4f76c @ 0x44f76c
?BeginThreadFun@?$kxThreadBase@VLocker@kbase@@@kbase@@MAEXXZ-0x8e95 k52zip20210520-220-21+0x4df5c @ 0x44df5c
?BeginThreadFun@?$kxThreadBase@VLocker@kbase@@@kbase@@MAEXXZ-0x8f1f k52zip20210520-220-21+0x4ded2 @ 0x44ded2
?BeginThreadFun@?$kxThreadBase@VLocker@kbase@@@kbase@@MAEXXZ-0x1a10 k52zip20210520-220-21+0x553e1 @ 0x4553e1
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x755b62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x755b6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x755b77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x755b788a
?BeginThreadFun@?$kxThreadBase@VLocker@kbase@@@kbase@@MAEXXZ-0x5b95 k52zip20210520-220-21+0x5125c @ 0x45125c
?BeginThreadFun@?$kxThreadBase@VLocker@kbase@@@kbase@@MAEXXZ-0x63bf k52zip20210520-220-21+0x50a32 @ 0x450a32
0x600e4

exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45
exception.symbol: ?AddItem@ReportHelper@business_publish@@QAEHABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@HAAV?$vector@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@V?$allocator@U?$pair@V?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@V12@@std@@@2@@4@@Z+0x4819b ??_7?$kxQueueThreadRun@VKSimpleDirectInfoc@@$03VLocker@kbase@@@kbase@@6B@-0x2dbf1 k52zip20210520-220-21+0xa665b
exception.instruction: in eax, dx
exception.module: k52zip20210520-220-21.exe
exception.exception_code: 0xc0000096
exception.offset: 681563
exception.address: 0x4a665b
registers.esp: 1633916
registers.edi: 1634936
registers.eax: 1447909480
registers.ebp: 1633976
registers.edx: 22104
registers.ebx: 0
registers.esi: 1634936
registers.ecx: 10
1 0 0
mutex Global\{76F1BBD0-BAED-412D-87AE-3DCBB3F6AED1}
mutex thorzip-{15F447D3-0771-4E0F-AB05-EE20829E3206}
mutex Global/VIP{BBC55EE0-A128-46c2-8189-4020E84F8081}
mutex {08586C4E-62C4-4a4e-8271-C2A20530AF62}_M_S-1-5-21-3832866432-4053218753-3017428901-1001
mutex {0C196968-D540-49D0-A765-8F113FBECF04}_TGBDownloader_1
mutex lszip_{8F9A0C80-E0D1-4D1A-9EC6-EF8EBC1FEEA5}lszip_MUTEX_INSTALL
udp {u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 142601393, u'time': 1.0472841262817383, u'dport': 3702, u'sport': 49152}
udp {u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 142609793, u'time': 1.6930160522460938, u'dport': 1900, u'sport': 56752}
udp {u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 142615529, u'time': 1.5245051383972168, u'dport': 3702, u'sport': 56754}
udp {u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 142618385, u'time': 5.431740045547485, u'dport': 3702, u'sport': 57661}
udp {u'src': u'192.168.56.102', u'dst': u'239.255.255.250', u'offset': 142621113, u'time': 6.314023017883301, u'dport': 3702, u'sport': 57663}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226001608, u'time': 32.52610516548157, u'dport': 50538, u'sport': 53}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226002584, u'time': 35.474441051483154, u'dport': 51733, u'sport': 53}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226002858, u'time': 32.297054052352905, u'dport': 51857, u'sport': 53}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226003363, u'time': 34.44402718544006, u'dport': 51983, u'sport': 53}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226003606, u'time': 35.98441219329834, u'dport': 52542, u'sport': 53}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226003839, u'time': 31.461878061294556, u'dport': 54221, u'sport': 53}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226004082, u'time': 33.20240807533264, u'dport': 55957, u'sport': 53}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226004367, u'time': 53.71338415145874, u'dport': 55992, u'sport': 53}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226004579, u'time': 33.606969118118286, u'dport': 59367, u'sport': 53}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226004810, u'time': 44.61654615402222, u'dport': 60430, u'sport': 53}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226005004, u'time': 29.852392196655273, u'dport': 61998, u'sport': 53}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226005533, u'time': 32.114646196365356, u'dport': 62039, u'sport': 53}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226005810, u'time': 33.99781107902527, u'dport': 62262, u'sport': 53}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226006053, u'time': 56.74567198753357, u'dport': 62388, u'sport': 53}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226006576, u'time': 31.967104196548462, u'dport': 62461, u'sport': 53}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226006839, u'time': 47.92791414260864, u'dport': 62836, u'sport': 53}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226007029, u'time': 33.74628210067749, u'dport': 63574, u'sport': 53}
udp {u'src': u'8.8.8.8', u'dst': u'192.168.56.102', u'offset': 226007303, u'time': 35.12994909286499, u'dport': 63667, u'sport': 53}
Bkav W32.AIDetect.malware1
Elastic malicious (high confidence)
DrWeb Trojan.KillFiles.62557
MicroWorld-eScan Gen:Variant.Strictor.244274
FireEye Generic.mg.2e765a8048bcd67f
CAT-QuickHeal Trojan.GenericRI.S14805165
ALYac Gen:Variant.Strictor.244274
Cylance Unsafe
Sangfor Trojan.Win32.Save.a
Cyren W32/Strictor.CK.gen!Eldorado
APEX Malicious
Cynet Malicious (score: 100)
BitDefender Gen:Variant.Strictor.244274
Ad-Aware Gen:Variant.Strictor.244274
Sophos Generic ML PUA (PUA)
VIPRE Trojan.Win32.Generic!BT
Emsisoft Gen:Variant.Strictor.244274 (B)
SentinelOne Static AI - Malicious PE
Avira TR/Adload.Gen
MAX malware (ai score=84)
Antiy-AVL Trojan/Generic.ASMalwS.2A59467
Microsoft Trojan:Win32/Tnega!ml
Gridinsoft Trojan.Win32.Killfiles.vb!s1
GData Gen:Variant.Strictor.244274
AhnLab-V3 Trojan/Win32.Agent.R343616
VBA32 Trojan.KillFiles
Ikarus Trojan-Dropper.Win32.Generic
Fortinet W32/Strictor.244274!tr
Cybereason malicious.048bcd
dead_host 192.168.56.102:50162
dead_host 119.63.197.151:443