Multi-License Discount Quote

Change Region

English
Threat Database Potentially Unwanted Programs PUP.LuDaShi

PUP.LuDaShi

By CagedTech in Potentially Unwanted Programs

Threat Scorecard

Popularity Rank: 1,181
Threat Level: 10 % (Normal)
Infected Computers: 143,208
First Seen: March 16, 2016
Last Seen: February 6, 2026
OS(es) Affected: Windows

File System Details

PUP.LuDaShi may create the following file(s):
Expand All | Collapse All
# File Name MD5 Detections
1. MobileDeviceSrv.exe ccd8369cc281c091ce86766004b3e669 378
2. LockHomePage.exe 02446ad15a7a7fcfd3a6e313c4833b13 162
3. MiniNews.exe 06ce90f74c9daa023a89030acb30466c 80
4. LdsLite.exe 45ebc4be21df257e03feee5a87917186 32
5. ComputerZ14.exe b1d87da50bad52902a6d90c593516ddc 21
6. removelds_gcenter.bat 675c6ca06e9232982c828455cb91f05f 1
7. removelds.bat 366688c29407dd45b8b5738e9f769249 1
More files

Registry Details

PUP.LuDaShi may create the following registry entry or registry entries:
CLSID
{34B3C588-D06C-4F92-929C-2C3A0BC7F821}
Regexp file mask
%TEMP%\ludashisetup.exe
%Temp%\removelds.bat
%Temp%\removelds_gcenter.bat
%WINDIR%\System32\Tasks\ComputerZ-Tray
%WINDIR%\System32\Tasks\LDSGameCenter
HKEY..\..\..\..{RegistryKeys}
SOFTWARE\Classes\ComputerZ8.DeskBandExt
SOFTWARE\Classes\ComputerZ8.DeskBandExt.1
SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\ludashi.com
SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.ludashi.com
SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\ludashi.com
SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.ludashi.com
SOFTWARE\LDSGameCenter
SOFTWARE\ldssrv
SOFTWARE\Ludashi
SOFTWARE\LudashiLspUrl
SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\mininews.exe
SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\mininews.exe
SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\mininews.exe
SOFTWARE\Microsoft\Tracing\ComputerZTray_RASAPI32
SOFTWARE\Microsoft\Tracing\ComputerZTray_RASMANCS
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ComputerZ-Tray
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ComputerZLite
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ComputerZ_CN.exe
Software\QiLu Inc.\mininews
SOFTWARE\WOW6432Node\LDSGameCenter
SOFTWARE\WOW6432Node\LdsLite
SOFTWARE\WOW6432Node\ldssrv
SOFTWARE\WOW6432Node\LuDaShi
SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\mininews.exe
SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\mininews.exe
SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\mininews.exe
SOFTWARE\WOW6432Node\Microsoft\Tracing\ComputerZTray_RASAPI32
SOFTWARE\WOW6432Node\Microsoft\Tracing\ComputerZTray_RASMANCS
SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\ComputerZ_CN.exe
SYSTEM\ControlSet001\Enum\Root\LEGACY_COMPUTERZ_X64
SYSTEM\ControlSet001\Enum\Root\LEGACY_COMPUTERZLOCK
SYSTEM\ControlSet001\Services\ComputerZ_x64
SYSTEM\ControlSet001\services\ComputerZLock
SYSTEM\ControlSet002\Enum\Root\LEGACY_COMPUTERZ_X64
SYSTEM\ControlSet002\Enum\Root\LEGACY_COMPUTERZLOCK
SYSTEM\ControlSet002\Services\ComputerZ_x64
SYSTEM\ControlSet002\services\ComputerZLock
SYSTEM\CurrentControlSet\Enum\Root\LEGACY_COMPUTERZ_X64
SYSTEM\CurrentControlSet\Enum\Root\LEGACY_COMPUTERZLOCK
SYSTEM\CurrentControlSet\Services\ComputerZ_x64
SYSTEM\CurrentControlSet\services\ComputerZLock
HKEY_LOCAL_MACHINE\Software\[APPLICATION]\Microsoft\Windows\CurrentVersion\Uninstall..{Uninstaller}
LdsLite
Ludashi_is1

Directories

PUP.LuDaShi may create the following directory or directories:

%APPDATA%\360bizhi\Utils
%APPDATA%\360bizhi\softmgr
%APPDATA%\360bizhi\wallpaperhelper
%APPDATA%\ABCPhoto\mininews
%APPDATA%\youku
%APPDATA%\ytmediacenter
%AppData%\Ludashi
%PROGRAMFILES%\LDSGameCenter
%PROGRAMFILES%\LdsLite
%PROGRAMFILES%\LuDaShi
%PROGRAMFILES(x86)%\LDSGameCenter
%PROGRAMFILES(x86)%\LdsLite
%PROGRAMFILES(x86)%\LuDaShi
%WINDIR%\Syswow64\config\systemprofile\AppData\Roaming\LDSGameCenter
%WINDIR%\Syswow64\config\systemprofile\AppData\Roaming\Ludashi
%WINDIR%\system32\config\systemprofile\AppData\Roaming\LDSGameCenter
%WINDIR%\system32\config\systemprofile\AppData\Roaming\Ludashi
%appdata%\LDSGameAssistant
%appdata%\LDSGameCenter

Analysis Report

General information

Family Name: PUP.LuDaShi
Signature status: Self Signed

Known Samples

MD5: 6ca5707199a882ec0b914e76718335aa
SHA1: 216e780bb7d66aceeaba86dfad852c73ec81682a
File Size: 3.33 MB, 3330376 bytes
MD5: 54029bdd1a63e3df0fe64cf6bc3de30e
SHA1: 6b1f1ddfaf87eb4b296b42095244d66fcd13176e
File Size: 1.03 MB, 1034208 bytes
MD5: 2c2508595d2410de90f5e9e013e61021
SHA1: db8a3892bde362a967a86e7e4b31f59f25d0162d
File Size: 5.11 MB, 5113368 bytes
MD5: 6d6fa14117bd0d0ad8e99e17def6718a
SHA1: cce78a929052580edeb3035116d8a46a93bdf2b9
SHA256: 2FB4B97B73ACB1766D95666D8BF9077241C5D7FBC29E56E456971046A23E7AAD
File Size: 2.93 MB, 2927128 bytes
MD5: be700596319942003a12a8f8c7cfccde
SHA1: 7aaf9e75cc4c625265875a4187e9a3db0588929f
SHA256: CAAEDCBF353A4C1F4E13DCC7F7E3CE48180F7E998578E663E1430BC45158E5B8
File Size: 1.69 MB, 1689048 bytes
Show More
MD5: 4dbcdb7ce6a68e89d9e381a8fe71cdd0
SHA1: d9e990bdd0ef20ae523e70ae7da69e89d9edb83a
SHA256: A2809D9D16DF7695F33A183725D9A22CA117F51EBA26EED8FB5F7FF8B58115C5
File Size: 8.47 MB, 8465944 bytes
MD5: 2ddfd44ec03ec832a3d5e3c74d3f72d9
SHA1: 0cf8cd0bb009288e4ed13f4c42b6def25fcd66e7
SHA256: 28F5D851CA997747D48AC7384AEC1A6E808C7FCCC6290CB7F03EF5304C95403D
File Size: 909.85 KB, 909848 bytes
MD5: 0c020faf1c1dc4cf6d25663e5e6c9e41
SHA1: 7ca820ce469f6412e10c48642f07ca67ca260675
SHA256: 47E477D0F9F0EB87015BEB03E22D1216EFB766FB33D781EBF46A21C392A565CD
File Size: 4.92 MB, 4917200 bytes
MD5: 52702661964a8db2590b83cc541bc86d
SHA1: 57cf4c9d32d5056334e68ee3b464dda76057294d
SHA256: 95CA604EBF3D36741FC5D8A230CFCF19CB6731E6DE7F3789B689F3FA44C8CD54
File Size: 3.29 MB, 3291536 bytes
MD5: 88f7e2129973325fd9b470a551f56e31
SHA1: a9b8d83101e59107f8b035f6c212800cd4c68839
SHA256: EC12F65D5003DBBFF668864E2205B091E9DCDD19CF93C27AC8F142CF71DE1B45
File Size: 1.26 MB, 1256408 bytes
MD5: 387473a90022ad8a360e4f4f1351e7f3
SHA1: bf54f67484740dee9a16179f39952a4be18c7134
SHA256: 6ED4B83C89F774482D3ABAFD9949E796FE2BA752872A6EF54A1D7465EECBF99B
File Size: 2.35 MB, 2348944 bytes
MD5: 660fb70d36dc74e863541b1200149834
SHA1: bbf0098d6cd0807c18940096de1aa0e5ffdad33f
SHA256: A548C12C98A190648F9891EF88526B0811B1042B9D43B3FA68A82E026ABB8FEB
File Size: 471.46 KB, 471464 bytes
MD5: a646b82341bcb5250277e609c29e53e2
SHA1: 94d4cc8c94f9005cc347e230d609f2cee4cb7e78
SHA256: 316EE0D045B7BAC0BEEBD1FC392C4A466670F0411835BBC9E703C3A42232CBD6
File Size: 1.24 MB, 1235416 bytes
MD5: 6660e52b8470d0eda128d46fd08fc979
SHA1: 10020f54d64e499c2dd5d96c1e26d9f21895d514
SHA256: 98F343031A5C0EF4D113807B108F647846A882AECBDFE7895B9C4381110B4D43
File Size: 5.53 MB, 5526552 bytes
MD5: 6774cb4c65ed3b341be8ebdcb1231553
SHA1: 6b0294c605ed9f0747cb28c1f6d8a2e7d827e5a3
SHA256: D9B0A3E386B7C5C98E2D850DB68C7D243C2C290F8FE3E90F4815F3AC1FAB307B
File Size: 1.46 MB, 1456088 bytes
MD5: 675ab4e0b336fac98e830422783ae688
SHA1: 2563634f3d66c33cf656a2799d961384c1a0192c
SHA256: 3B03F775F639B369D9F41A58BE821AC1B352DB56D0A1FC815924242878CD5B3A
File Size: 1.70 MB, 1702936 bytes
MD5: 4588862c75ca996354292fcc2a360e98
SHA1: 571ded54985999fefbcc169cdee91b883c126988
SHA256: 6425ABC58C64C2DFAD6489868715944373975789B694DCE02BDE346005B85ECA
File Size: 4.70 MB, 4701208 bytes
MD5: 25189c0f517ce82e64dde6dc463826f4
SHA1: 0b57250e06a4c9b4d71d8a5c4d53492135491f8e
SHA256: EB3F725AA2195E22CF7AFACFAC03EEF0FA0C243B1283265AA3E354A7452F9033
File Size: 8.94 MB, 8939480 bytes
MD5: 2106bbf820bd664f019cd882d2ee92d6
SHA1: fd26e521ad77ab27ff076318e1dbfda13338f2ed
SHA256: CB09692958785C4AB4B836673F54613F43A285AB5719ADA65BAFA4DF7AB3B323
File Size: 6.12 MB, 6124056 bytes
MD5: 90fc577f3851e83bc66ad36d26a1b0f3
SHA1: 5b264683e640523611177a104802adcfaeabe6c4
SHA256: 75FC0BABABB87E0715B1CBE7D5AAEDFE467FD0C937CCEFA9F3A2FD92289EB6E6
File Size: 3.50 MB, 3501592 bytes
MD5: 942ae90442940fd39c131211796b7f47
SHA1: 2faa9b5879267d46c6be2e00f9d0fea9f392782b
SHA256: D3C7E09EE54C37D774A59B917AE72089E45FF80467B8B54AA0FA80C30387B61F
File Size: 4.95 MB, 4953048 bytes
MD5: 0271cfcdae87610f6c43c697e759a0e6
SHA1: 844d89a5dbff7792edc50614aa725094b38aa7a0
SHA256: FE1AF88FCA2DA2FD33CC2D6B0F175063338CB08BAEA94055EA0546F6A27D26CC
File Size: 1.82 MB, 1824728 bytes
MD5: 850c072b5b387d272363fc56d174f7b9
SHA1: a39a20cae72f696da7158a7e944e5d0513b49e78
SHA256: 9C28FDF694DAE5EB18AC86734B2BBAAE8807FAB21E821345DD7A26CDC420828C
File Size: 1.13 MB, 1131544 bytes
MD5: 3e93b81b42560287487fd9c5c0fc7df9
SHA1: 71ffc461eb71b3bd0af4edeb2bc0e21ef10a06f0
SHA256: FE0C5595BB539D7DEC05D49AF2320B8B7074EB852D4795872591DB46C747E725
File Size: 1.05 MB, 1046488 bytes
MD5: de40a011739b0554c802b1120010f39c
SHA1: 2e92aa72858a5a8621c99a6c1223e978f0f4c80d
SHA256: 3FFD47FA3FFA91B7249E95353DDC545EFADA1EC0A166B33033FDFB0DBB6E9347
File Size: 5.10 MB, 5095960 bytes
MD5: 7127279e5ebfcf2effa61fd344a22b29
SHA1: 7038fbe2878e2fe6e0a51cd8105b599e87801101
SHA256: 85997418ACEE704FD7F876802FB7EDC8FBD1132E10BB157904EEC5F17F280A0E
File Size: 2.98 MB, 2977816 bytes
MD5: 1ebee7ae65c55d61c699831175a6213b
SHA1: 3dc12da0b1e087e4f5f176fd658d6cb2579df171
SHA256: 91005297C59427DD7F6422EB9B69858D4D273C3816BD664EA3BAAA8E6EA1D3CB
File Size: 589.85 KB, 589848 bytes
MD5: 510acdf2516eca479bc721ebaeced2fc
SHA1: 23d1066e19ec752bc90f6fc4998e4200ec7eeaa3
SHA256: E999B754AE0832028107A3F24F8D4E530E895A73F33512CAFF409F3605022FB6
File Size: 5.09 MB, 5093400 bytes
MD5: b5bb8826a96eaf4a852bd77bee9f8908
SHA1: 3757f07c81d71d92e24bf5dc99d5ea65d692ffde
SHA256: 3A4751234C56EBA8B84FBF67353B1AB226DF99BDEB79B3110C2B6DF26A383F59
File Size: 1.82 MB, 1823704 bytes
MD5: 9ea1bbdc1455c177a2b56dbbe0225adf
SHA1: c35f29a4a6d565815ad60f66d67f30e69a687253
SHA256: 1EA663BA4CDF80836C4B2FEA0C1E668932BAE6293A648B4920AC29B8C5EC5C71
File Size: 1.23 MB, 1230032 bytes
MD5: 51ffa8e30d0eed159567c2c0d23a9bdb
SHA1: 56771bb388624c30283250ce15fef1a4b9f7b4f2
SHA256: 91FB0896F6675A4D1C593219756E9AAB86165D4548409723911368511634DA31
File Size: 1.10 MB, 1104408 bytes
MD5: 26356b6676434a296febc57762465cbd
SHA1: dcdf490dc17cfc4dcc24ea56fcbc0a25db3500c3
SHA256: 505285F592257446A752E193F76AB8645845677F7F78B3915FAE8DD8CD7B5353
File Size: 8.56 MB, 8555544 bytes
MD5: 5edc13a6f7b1144d73004965de50a1e0
SHA1: 53cf544f7f4356a1ed239f1a4edd65a1ef248d57
SHA256: FC954947E4D21CF49A2E3EB50BD2840E56BCFA0D165BA997BF750E0787198158
File Size: 1.10 MB, 1104920 bytes
MD5: fda82ba3a4be5d5fe14f2da1ca1867c1
SHA1: 652688a226ba8dfca45251b8d9ba74c53e8df936
SHA256: F2AB259C10C69F2AF7D680AC5D084112424A955AE023F6FC29B0C650329258D2
File Size: 3.50 MB, 3501080 bytes
MD5: 46fce7638a1a4f4902908e4ad2c5bf51
SHA1: 53c27ade709865bcf335a9fffc18ff7e09be745e
SHA256: 8338CA58655A52A56929D4779C316829AEBC7D9E843B4392B163C026D897E232
File Size: 2.21 MB, 2207256 bytes
MD5: ca6fe99af20a725aadcb5bd9199c886f
SHA1: be9ee2d90c20d3d96d2f4f364606a21975701018
SHA256: FDBF238D3E234278ADFB7B6F79FC5A4B469D6F134B88B69C13F8753526D5EE39
File Size: 4.27 MB, 4266880 bytes
MD5: 7bfbf1592ffc0e55fca8dfd7cfc92543
SHA1: 89d61f0d3c6bf98928c5e775524e01b3d47cff04
SHA256: 1202D716160F035090F91BC2E6C21C9A01DDE961E2043C1A2F00A98F955E0EC3
File Size: 928.22 KB, 928216 bytes
MD5: 9445daaf7063017b5b2d4e2b545b8cfc
SHA1: 1238589ac8478a067bc4e134902bcdcaa66d6962
SHA256: 837C9D594D9F0A1943CAB4478B01157DF9C39CBA61262A7939A7093E4988B6FD
File Size: 1.35 MB, 1351704 bytes
MD5: 4a9e04bd626d9d86d2fc23c02425ac87
SHA1: 5cda75eceb4ab72a4d209d4a66045928832c94c7
SHA256: 566439E46691494E0EEFAA595C29561E0E8AB4A77A93DE4ECFC709AA14280736
File Size: 4.34 MB, 4344996 bytes
MD5: 25f6f2b40d23d6455eea8f3e612b31ea
SHA1: 7665b084b6b46b3d292f87a905850bb351f14480
SHA256: 723DC9FBFED9E02A7881B43D9341174E434321F94155308627B8426DA58ACEBF
File Size: 4.26 MB, 4255120 bytes

Windows Portable Executable Attributes

  • File doesn't have "Rich" header
  • File doesn't have exports table
  • File doesn't have relocations information
  • File doesn't have security information
  • File has exports table
  • File has TLS information
  • File is 32-bit executable
  • File is 64-bit executable
  • File is console application (IMAGE_SUBSYSTEM_WINDOWS_CUI)
  • File is either console or GUI application
Show More
  • File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
  • File is Native application (NOT .NET application)
  • File is not packed
  • IMAGE_FILE_DLL is not set inside PE header (Executable)
  • IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Show More

49 additional icons are not displayed above.

Windows PE Version Information

Name Value
Comments general service
Company Name
  • QL-TECHNOLOGY
  • www.ludashi.com
  • 成都奇鲁科技有限公司
  • 鲁大师
File Description
  • baizhan
  • ByteLocker
  • bzbzsc
  • dll文件修复
  • DS-R1 一键安装工具
  • general protect service
  • LockBox
  • NullCipher
  • recyclean_svr
  • RecycleAssistant
Show More
  • SafeSpace
  • SecureVault
  • ShieldDocs
  • slim helper
  • wjing23
  • xiyou
  • 卸载程序
  • 大师壁纸
  • 应用程序
  • 游戏微端
  • 电脑性能优化
  • 硬件防护中心
  • 程序
  • 饼干压缩
  • 鲁大师清理
File Version
  • 65535.0.368.507
  • 65535.0.345.1224
  • 65535.0.310.402
  • 65535.0.305.314
  • 65535.0.255.410
  • 10.1025.1015.1021
  • 10.1025.1010.1118
  • 6.5025.1280.427
  • 6.1026.1095.105
  • 5.1025.2695.1219
Show More
  • 5.1025.2660.718
  • 5, 0, 0, 1010
  • 2.5025.1000.311
  • 2.1025.1005.310
  • 1.5025.1330.805
  • 1.5025.1270.317
  • 1.5025.1050.317
  • 1.5025.1005.310
  • 1.5024.1210.920
  • 1.2723.1000.0111
  • 1.1325.1060.827
  • 1.1325.1010.1121
  • 1.1225.1060.827
  • 1.1123.1040.504
  • 1.1025.1100.903
  • 1.1025.1090.822
  • 1.1025.1065.6027
  • 1.1025.1055.925
  • 1.1025.1050.425
  • 1.1025.1035.808
  • 1.1025.1030.811
  • 1.1025.1015.1027
  • 1.1025.1005.402
  • 1.1024.1035.1112
  • 1.0.236.0
  • 1.0.226.0
Internal Name
  • ai_cooling.dll
  • BiscuitZip.exe
  • BrowserProtectTray.exe
  • bytelocker_service.exe
  • CleanPageEngine.dll
  • combase.dll
  • ComputerZTray
  • cpt.exe
  • desktop_quick_ui.exe
  • dll_repa.exe
Show More
  • gm.exe
  • inst_pop.tpi
  • LionProtectTray.exe
  • lockbox_service.exe
  • MasterBHO.dll
  • mgbox.exe
  • MicroGameBox
  • nullcipher_service.exe
  • pc_optimizer_ui.exe
  • recyclean_svr.dll
  • safespace_service.exe
  • shielddocs_service.exe
  • svr
  • ToBrowserTray.exe
  • uninst.exe
  • 扩展程序
Legal Copyright
  • (C)All Rights Reserved.
  • Copyright (C) 2008-2022
  • Copyright (C) 2008-2024
  • Copyright (C) 2008-2025
  • Copyright (C) 2011-2014 www.ludashi.com
  • Copyright (C) 2022
  • Copyright (C) 2024
  • Copyright (C) 2025
  • 版权所有 (C) 2008-2024
  • 版权所有 (C) 2008-2025
Show More
  • 版权所有 (C)2025
  • 版权所有 鲁大师游戏
Original Filename
  • ai_cooling.dll
  • BiscuitZip.exe
  • BrowserProtectTray.exe
  • bytelocker_service.exe
  • CleanPageEngine.dll
  • combase.dll
  • ComputerZTray.exe
  • cpt.exe
  • desktop_quick_ui.exe
  • dll_repa.exe
Show More
  • inst_pop.tpi
  • LionProtectTray.exe
  • lockbox_service.exe
  • MasterBHO.dll
  • mgbox.exe
  • MicroGameBox
  • nullcipher_service.exe
  • pc_optimizer_ui.exe
  • recyclean_svr.dll
  • safespace_service.exe
  • shielddocs_service.exe
  • svr
  • ToBrowserTray.exe
  • uninst.exe
  • 扩展程序
Product Name
  • baizhan
  • ByteLocker
  • bzbzsc
  • cpt
  • DS-R1 一键安装工具
  • genral protect service
  • LockBox
  • NullCipher
  • recyclean
  • RecycleAssistant
Show More
  • SafeSpace
  • SafeSurf
  • SecureVault
  • ShieldDocs
  • slim helper
  • wjing23
  • xiyou
  • 大师壁纸
  • 应用程序
  • 游戏微端
  • 电脑性能优化
  • 硬件防护中心
  • 饼干压缩
  • 鲁大师清理
Product Version
  • 65535.0.368.507
  • 65535.0.345.1224
  • 65535.0.310.402
  • 65535.0.305.314
  • 65535.0.255.410
  • 10.1025.1015.1021
  • 10.1025.1010.1118
  • 6.5025.1280.427
  • 6.1026.1095.105
  • 5.1025.2695.1219
Show More
  • 5.1025.2660.718
  • 5, 0, 0, 1010
  • 2.5025.1000.311
  • 2.1025.1005.310
  • 1.5025.1330.805
  • 1.5025.1270.317
  • 1.5025.1050.317
  • 1.5025.1005.310
  • 1.5024.1210.920
  • 1.2723.1000.0111
  • 1.1325.1060.827
  • 1.1325.1010.1121
  • 1.1225.1060.827
  • 1.1123.1040.504
  • 1.1025.1100.903
  • 1.1025.1090.822
  • 1.1025.1065.6027
  • 1.1025.1055.925
  • 1.1025.1050.425
  • 1.1025.1035.808
  • 1.1025.1030.811
  • 1.1025.1015.1027
  • 1.1025.1005.402
  • 1.1024.1035.1112
  • 1.0.236.0
  • 1.0.226.0

Digital Signatures

Signer Root Status
天津六六游科技有限公司 DigiCert Assured ID Root CA Root Not Trusted
Chengdu Qilu Technology Co. Ltd. DigiCert SHA2 Assured ID Code Signing CA Self Signed
天津六六游科技有限公司 DigiCert SHA2 Assured ID Code Signing CA Self Signed
天津六六游科技有限公司 DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Self Signed
成都奇鲁科技有限公司 DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 Self Signed
Show More
成都深智科技有限公司 DigiCert Trusted Root G4 Root Not Trusted
Qihoo 360 Software (Beijing) Company Limited Symantec Class 3 SHA256 Code Signing CA Hash Mismatch
Qihoo 360 Software (Beijing) Company Limited VeriSign Class 3 Code Signing 2010 CA Hash Mismatch

File Traits

  • 2+ executable sections
  • dll
  • HighEntropy
  • x86

Block Information

Total Blocks: 6,660
Potentially Malicious Blocks: 639
Whitelisted Blocks: 5,654
Unknown Blocks: 367

Visual Map

0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 ? 0 0 0 0 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x ? x x x x ? ? ? x ? ? x x x x x ? ? ? x x ? x x x ? x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? ? ? ? ? 0 0 0 0 0 0 x 0 0 ? 0 0 ? ? ? ? 0 0 ? 0 ? 0 0 ? ? ? ? 0 ? ? ? 0 ? ? ? ? ? ? ? ? ? 0 0 0 0 1 0 ? ? 0 0 0 0 0 ? ? ? ? ? ? x ? 0 0 0 0 0 0 ? ? ? ? 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 x 0 0 0 0 ? 0 x 0 0 0 0 0 0 ? ? x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? x ? 0 0 0 0 0 ? x 0 0 0 0 0 0 x x x x x x x x x x x ? x x ? x x x x x x x x 0 0 0 0 0 0 0 ? ? 0 ? x 0 ? ? 0 0 ? 0 0 0 ? ? 0 0 ? ? ? ? ? ? ? 0 ? ? 0 0 ? ? ? 0 0 ? 0 ? ? ? ? 1 ? x ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 x x ? x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 ? ? x x ? x x x 0 ? ? ? ? 0 0 ? 0 0 0 ? ? x x ? 0 0 ? 0 0 0 0 0 0 0 ? x ? 0 0 x 0 0 0 0 ? ? 0 0 x x x x x ? x ? x 0 0 ? 0 x ? ? x 0 x 0 0 ? ? ? ? x x ? ? ? x x 1 0 0 0 ? ? x ? ? ? ? ? ? ? ? ? ? ? ? 1 0 ? ? ? ? x x x ? ? ? x 0 ? ? ? x ? 0 ? 0 ? x x 0 1 0 ? 0 ? ? 0 ? ? ? ? ? 0 ? ? ? 0 0 ? x 0 0 0 0 0 0 0 0 0 x 0 0 ? x x ? 0 ? x 0 x 0 0 0 0 x x ? x x x x x 0 x x x x 0 0 x x 0 0 ? ? 0 ? ? ? ? 0 ? ? ? 0 ? ? ? ? ? ? ? ? 0 0 ? ? x x x x x x ? ? 0 ? ? 0 0 ? 0 x x x x ? x ? ? x x x x ? x ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 ? ? 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x x ? x ? ? x x x x x x x x x x x 0 0 0 0 0 ? ? 0 0 ? ? ? ? ? ? ? ? ? ? ? ? ? ? 0 0 ? ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 x x x x ? x 0 ? 0 ? 0 ? 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x x x x x x 0 0 0 0 0 0 0 0 0 0 ? ? ? x 0 x x ? 0 x ? 0 ? ? x ? ? x ? ? ? ? 0 ? ? 0 0 ? 0 x x ? ? ? x ? ? x x 0 ? x x 0 0 x x 0 ? ? ? ? ? ? x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 x x 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 x x 0 0 0 x ? x 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 x 0 x x 1 x 0 0 0 0 0 0 0 ? 0 x 1 x 0 0 ? x ? x x x x x x x ? x ? 0 0 x ? 0 0 x x x 0 0 0 0 ? x x ? x x x x x x ? ? ? 0 x ? 0 ? x ? ? 0 ? x ? 1 1 x ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 0 0 1 2 3 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ? ? 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 0 x x x x x ? 0 0 0 x 0 x 0 x x x 0 0 x 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 0 0 0 x x 0 0 0 x x x x x x 1 x 0 0 0 0 0 x 0 1 1 1 1 0 0 1 1 0 0 x x x 1 1 1 1 1 x x x x x x 0 x x 0 x 1 0 0 x x x 1 x 0 0 x 0 0 1 1 x x x x x x 0 0 0 0 x x x x 0 x 0 x 0 x 0 0 x 0 0 1 x x x x 0 x x x 0 0 x 0 0 0 0 0 ? 0 0 ? 0 1 0 0 0 0 x x x x x 0 x 0 0 x 0 x x 0 x 0 x x x x 0 x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 1 1 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
... Data truncated
0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

  • Qihoo.B

Files Modified

File Attributes
\device\harddisk0\dr0 Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\gmdasllogger Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\lds_setup.log Generic Write,Read Attributes
c:\users\user\appdata\local\temp\{14dd0d30-55dd-4761-b34e-1686d52d05ed}.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\{35e60549-7cdb-4fd2-b65a-c10fad826ff8}.tmp\7z.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\{38c122d1-65ca-4719-b8c7-c28c82722d86}.tmp\net_titan.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\{38c122d1-65ca-4719-b8c7-c28c82722d86}.tmp\net_titan.dll Synchronize,Write Attributes
c:\users\user\appdata\local\temp\{4f58ba1b-b736-4503-90c3-07a97b528cf4}.tf Generic Write,Read Attributes
Show More
c:\users\user\appdata\local\temp\{5156ce0b-aee2-4c54-ac33-6edd42620e82}.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\{6b6b96a6-8d0b-49c9-90f4-c8f107bb5632}.tmp\lds.ldsprj Generic Write,Read Attributes
c:\users\user\appdata\local\temp\{6b6b96a6-8d0b-49c9-90f4-c8f107bb5632}.tmp\lds.ldsprj Synchronize,Write Attributes
c:\users\user\appdata\local\temp\{9a0db885-22b6-4540-8a36-f8867703d160}.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\{ad20fd0e-ad5f-4771-92f3-3c0c440218f1}.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\{b113e2b7-24d9-4730-aab0-ebcb3e200da5}.tmp Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\{f489e1f6-a661-49f9-b340-29a17db4ca1b}.tmp\netul.dll Generic Write,Read Attributes
c:\users\user\appdata\local\temp\{f489e1f6-a661-49f9-b340-29a17db4ca1b}.tmp\netul.dll Synchronize,Write Attributes
c:\users\user\appdata\roaming\360netul\0b57250e06a4c9b4d71d8a5c4d53492135491f8e_0008939480.netul.log Generic Write,Read Attributes
c:\users\user\appdata\roaming\360netul\216e780bb7d66aceeaba86dfad852c73ec81682a_0003330376.netul.log Generic Write,Read Attributes
c:\users\user\appdata\roaming\360netul\7665b084b6b46b3d292f87a905850bb351f14480_0004255120.netul.log Generic Write,Read Attributes
c:\users\user\appdata\roaming\360netul\7ca820ce469f6412e10c48642f07ca67ca260675_0004917200.netul.log Generic Write,Read Attributes
c:\users\user\appdata\roaming\360netul\be9ee2d90c20d3d96d2f4f364606a21975701018_0004266880.netul.log Generic Write,Read Attributes
c:\users\user\appdata\roaming\cfg_f6ede2e5-3c3e-450f-8e0c-ff2d3e4deb36.dat Generic Write,Read Attributes
c:\users\user\appdata\roaming\d9a40989-314b-45fc-ac6c.dat Generic Write,Read Attributes
c:\users\user\appdata\roaming\microgame\netbridge.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\microgame\netbridge.zip Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\roaming\microgame\netbridge.zip Synchronize,Write Attributes
c:\users\user\appdata\roaming\microgame\netbridge.zip Synchronize,Write Data
c:\users\user\appdata\roaming\microgame\netbridge.zip.temp Generic Write,Read Attributes
c:\users\user\appdata\roaming\microgame\utils\7z.dll Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\config.ini Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\downloads\log\computercenter.log Generic Write,Read Attributes
c:\users\user\downloads\log\computerztray.log Generic Write,Read Attributes

Registry Modifications

Key::Value Data API Name
HKLM\software\wow6432node\commaster::mid RegNtPreCreateKey
HKLM\software\wow6432node\commaster::m2 RegNtPreCreateKey
HKLM\software\wow6432node\commaster::mid RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname  RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet  RegNtPreCreateKey
Show More
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\content::cacheprefix RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\cookies::cacheprefix Cookie: RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\5.0\cache\history::cacheprefix Visited: RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43::blob 캇笋สI壡魱꠷犓쩭큛켍༜瀲퍙뉴ꚜ엣ꘊS@㸰ἰआ虠ňﶆɬ、〒ؐ⬊ĆĄ㞂ļ́ダ؛朅ಁ́ሰူਆثЁ舁㰷āȃ쀀 4㈰ࠆثԁ܅ȃࠆثԁ܅̃ࠆثԁ܅Ѓࠆثԁ܅ăࠆثԁ܅ࠃb 逾떙币䢏lᆝ﨡㖺襚槟Ṗ옽尲 RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\0563b8630d62d75abbc8ab1e4bdfb5a899b24d43::blob RegNtPreCreateKey
HKCU\software\com_key::user_id D/DYfnecdBKEWxjcJJ+uHGCKPzmJ0wsnj9Huml28e+glkio77IGQbyhYXmzCmx5jVTZ3tOXf145YwzD95L4hKw== RegNtPreCreateKey
HKCU\software\com_key::id_check RegNtPreCreateKey
HKLM\software\wow6432node\com_user::m2 RegNtPreCreateKey
HKCU\software\cce78a929052580edeb3035116d8a46a93bdf2b9_0002927128::live_stat_p ⿩梞 RegNtPreCreateKey
HKLM\software\wow6432node\commaster::mid RegNtPreCreateKey
HKLM\software\wow6432node\commaster::m2 RegNtPreCreateKey
HKLM\software\wow6432node\commaster::stat_rand 1 RegNtPreCreateKey
HKLM\software\wow6432node\microgame::mid2 RegNtPreCreateKey
HKCU\software\newmicrogame\ktxy::from n3taskpop_wd_ktxy0516 RegNtPreCreateKey
HKCU\software\newmicrogame\ktxy::installdir C:\Users\Okbsgewy\AppData\Roaming\MicroGame\ktxy RegNtPreCreateKey
HKCU\software\newmicrogame\ktxy::exepath C:\Users\Okbsgewy\AppData\Roaming\MicroGame\ktxy\ktxy.exe RegNtPreCreateKey
HKCU\software\newmicrogame\ktxy::installtime 2025-08-30 21:39:27 RegNtPreCreateKey
HKCU\software\newmicrogame\ktxy::displayname 开天西游 RegNtPreCreateKey
HKCU\software\newmicrogame\ktxy::pid n3taskpop_wd_ktxy0516 RegNtPreCreateKey
HKCU\software\newmicrogame\ktxy::version 65535.0.368.507 RegNtPreCreateKey
HKCU\software\newmicrogame\ktxy::channel n3taskpop_wd_ktxy0516 RegNtPreCreateKey
HKCU\software\newmicrogame::uninstallthirdparturl (NULL) RegNtPreCreateKey
HKCU\software\newmicrogame::platform jkw RegNtPreCreateKey
HKCU\software\newmicrogame::installedgameids ;ktxy; RegNtPreCreateKey
HKCU\software\newmicrogame::setup path C:\Users\Okbsgewy\AppData\Roaming\MicroGame RegNtPreCreateKey
HKLM\software\wow6432node\commaster::mid RegNtPreCreateKey
HKLM\software\wow6432node\commaster::m2 RegNtPreCreateKey
HKCU\software\com_key::user_id qA6X8bVyJ5B5C6zE3pyalq/wG+YQgkqH1BzU5iosqQIUsMvrv+1ZL4rgbki6ONrv7JicJCEbFkMesPEAc/q+jQ== RegNtPreCreateKey
HKCU\software\com_key::id_check RegNtPreCreateKey
HKLM\software\wow6432node\com_user::m2 RegNtPreCreateKey
HKLM\software\wow6432node\commaster::mid RegNtPreCreateKey
HKLM\software\wow6432node\commaster::m2 RegNtPreCreateKey
HKLM\software\wow6432node\commaster::stat_rand 8 RegNtPreCreateKey
HKLM\software\wow6432node\commaster::m2 RegNtPreCreateKey
HKLM\software\wow6432node\commaster::stat_rand RegNtPreCreateKey
HKCU\software\571ded54985999fefbcc169cdee91b883c126988_0004701208::live_stat_p 矗棾 RegNtPreCreateKey
HKLM\software\wow6432node\commaster::m2 RegNtPreCreateKey
HKCU\software\newmicrogame\wjcq::from tp_wjcq1227 RegNtPreCreateKey
HKCU\software\newmicrogame\wjcq::installdir C:\Users\Vefswely\AppData\Roaming\MicroGame\wjcq RegNtPreCreateKey
HKCU\software\newmicrogame\wjcq::exepath C:\Users\Vefswely\AppData\Roaming\MicroGame\wjcq\wjcq.exe RegNtPreCreateKey
HKCU\software\newmicrogame\wjcq::installtime 2025-11-03 08:56:45 RegNtPreCreateKey
HKCU\software\newmicrogame\wjcq::displayname 维京传奇 RegNtPreCreateKey
HKCU\software\newmicrogame\wjcq::pid tp_wjcq1227 RegNtPreCreateKey
HKCU\software\newmicrogame\wjcq::version (NULL) RegNtPreCreateKey
HKCU\software\newmicrogame\wjcq::channel tp_wjcq1227 RegNtPreCreateKey
HKCU\software\newmicrogame::installedgameids ;wjcq; RegNtPreCreateKey
HKCU\software\newmicrogame::setup path C:\Users\Vefswely\AppData\Roaming\MicroGame RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\3679ca35668772304d30a5fb873b0fa77bb70d54::blob  ︗ꕰ಻葧듊ḋɡ໕ꃊᵓ䵫箙妼 `VeriSign Universal Root Certification AuthoritySB䀰ℰଆ虠ňŅᜇ〆〒ؐ⬊ĆĄ㞂ļ́ダ؛朅ಁ́ሰူਆثЁ舁㰷āȃ쀀 4㈰ࠆثԁ܅ȃࠆ RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\3679ca35668772304d30a5fb873b0fa77bb70d54::blob 涭␛㄁豪␳礶㗊蝦ひきﮥ㮇꜏띻名~쀀⼃ǖ魃前涐ꃷ焗⧗蝒댣瞶槺䝈原픒㈇ݶ韑ᤇᐰࠆثԁ܅̃ࠆثԁ܅ăb 餣ᅖꔧ╱賞ൡ⿟碠좵缆艎邂뢿㱋 4㈰ࠆثԁ܅ȃࠆثԁ܅̃ࠆث RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\3679ca35668772304d30a5fb873b0fa77bb70d54::blob 궎Ƶ䶪ᶌᦕ ︗ꕰ಻葧듊ḋɡ໕ꃊᵓ䵫箙妼 `VeriSign Universal Root Certification AuthoritySB䀰ℰଆ虠ňŅᜇ〆〒ؐ⬊ĆĄ㞂ļ́ダ؛朅ಁ́ሰူਆثЁ舁㰷āȃ RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\3679ca35668772304d30a5fb873b0fa77bb70d54::blob \ࠀ涭␛㄁豪␳礶㗊蝦ひきﮥ㮇꜏띻名~쀀⼃ǖ魃前涐ꃷ焗⧗蝒댣瞶槺䝈原픒㈇ݶ韑ᤇᐰࠆثԁ܅̃ࠆثԁ܅ăb 餣ᅖꔧ╱賞ൡ⿟碠좵缆艎邂뢿㱋 4㈰ࠆثԁ܅ RegNtPreCreateKey
HKLM\software\wow6432node\commaster::m2 RegNtPreCreateKey
HKLM\software\wow6432node\commaster::csver 2.0 RegNtPreCreateKey
HKLM\software\wow6432node\commaster::cslist W7nAZtSwFBIAmjaaMVj5io5qRGnUmv40SOzZ0/vioOYnY6Iogdojg5cR5eh/UrdtDewnqG1pK0HWAg73WCRLkYrb+j3hlYvVYha/wFNMqm4jkGCR2dkNFNSu6SR2aVjS RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Tzhwphlu\AppData\Local\Temp\{35E60549-7CDB-4fd2-B65A-C10FAD826FF8}.tmp\7z.dll RegNtPreCreateKey
HKLM\system\controlset001\control\session manager::pendingfilerenameoperations \??\C:\Users\Tzhwphlu\AppData\Local\Temp\{35E60549-7CDB-4fd2-B65A-C10FAD826FF8}.tmp\7z.dll\??\C:\Users\Tzhwphlu\AppData\Local\ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasapi32::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enablefiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableautofiletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::enableconsoletracing RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filetracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::consoletracingmask ￿ RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::maxfilesize  RegNtPreCreateKey
HKLM\software\wow6432node\microsoft\tracing\rasmancs::filedirectory %windir%\tracing RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\ddfb16cd4931c973a2037d3fc83a4d7d775d05e4::blob RegNtPreCreateKey
HKLM\software\microsoft\systemcertificates\authroot\certificates\ddfb16cd4931c973a2037d3fc83a4d7d775d05e4::blob RegNtPreCreateKey
HKCU\software\com_key::user_id 5vyBqXUGqLvkNDjycP7ge/8aGYJdiXBi8otK3WJGhXvs1pvZE+42QRD0uPf5CQr3kPSm6xBzFGuYfsUPm71Ycg== RegNtPreCreateKey
HKCU\software\com_key::id_check RegNtPreCreateKey
HKLM\software\wow6432node\com_user::m2 RegNtPreCreateKey
HKLM\software\wow6432node\commaster::m2 RegNtPreCreateKey
HKLM\software\wow6432node\commaster::stat_rand " RegNtPreCreateKey
HKCU\software\com_key::user_id kHSPGoqzHaCgaOLVUZswyqn2DZhbyOXN7yns7EEZ9HNr5oBFakRdXolpvCasK5Utntes7TDJ1cO4hU9Ayq0+Wg== RegNtPreCreateKey
HKCU\software\com_key::id_check RegNtPreCreateKey
HKLM\software\wow6432node\com_user::m2 RegNtPreCreateKey
HKCU\software\com_key::user_id XTMipLW8LjF/ab6nc+/YDjnnHRTTDWr+tYrJWDAA5JdMOAwIQGzr2NcpdiObCgSPZeqwXGaCXfiUO7ubT2qLdg== RegNtPreCreateKey
HKCU\software\com_key::id_check RegNtPreCreateKey
HKLM\software\wow6432node\com_user::m2 RegNtPreCreateKey
HKLM\software\wow6432node\commaster::m2 RegNtPreCreateKey
HKLM\software\wow6432node\commaster::stat_rand RegNtPreCreateKey
HKLM\software\wow6432node\commaster::m2 RegNtPreCreateKey
HKLM\software\wow6432node\commaster::stat_rand ) RegNtPreCreateKey
HKLM\software\wow6432node\commaster::m2 RegNtPreCreateKey
HKLM\software\wow6432node\commaster::stat_rand q RegNtPreCreateKey
HKLM\software\wow6432node\commaster::m2 RegNtPreCreateKey
HKLM\software\wow6432node\commaster::m2 RegNtPreCreateKey

Windows API Usage

Category API
Anti Debug
  • IsDebuggerPresent
  • NtQuerySystemInformation
  • OutputDebugString
Network Winhttp
  • WinHttpOpen
Encryption Used
  • BCryptOpenAlgorithmProvider
Network Wininet
  • HttpOpenRequest
  • InternetConnect
  • InternetOpen
  • InternetQueryOption
  • InternetSetOption
Network Winsock2
  • WSASocket
  • WSAStartup
Network Info Queried
  • GetAdaptersAddresses
  • GetAdaptersInfo
Network Winsock
  • closesocket
  • connect
  • freeaddrinfo
  • getaddrinfo
  • send
  • setsockopt
  • socket
Syscall Use
  • ntdll.dll!NtAccessCheck
  • ntdll.dll!NtAlpcSendWaitReceivePort
  • ntdll.dll!NtApphelpCacheControl
  • ntdll.dll!NtClose
  • ntdll.dll!NtConnectPort
  • ntdll.dll!NtCreateFile
  • ntdll.dll!NtCreateMutant
  • ntdll.dll!NtCreateSection
  • ntdll.dll!NtDuplicateToken
  • ntdll.dll!NtFreeVirtualMemory
Show More
  • ntdll.dll!NtMapViewOfSection
  • ntdll.dll!NtOpenFile
  • ntdll.dll!NtOpenKey
  • ntdll.dll!NtOpenKeyEx
  • ntdll.dll!NtOpenProcessToken
  • ntdll.dll!NtOpenProcessTokenEx
  • ntdll.dll!NtOpenSection
  • ntdll.dll!NtOpenSemaphore
  • ntdll.dll!NtOpenThreadTokenEx
  • ntdll.dll!NtProtectVirtualMemory
  • ntdll.dll!NtQueryAttributesFile
  • ntdll.dll!NtQueryDebugFilterState
  • ntdll.dll!NtQueryInformationProcess
  • ntdll.dll!NtQueryInformationThread
  • ntdll.dll!NtQueryInformationToken
  • ntdll.dll!NtQueryKey
  • ntdll.dll!NtQueryLicenseValue
  • ntdll.dll!NtQueryPerformanceCounter
  • ntdll.dll!NtQuerySecurityAttributesToken
  • ntdll.dll!NtQuerySystemInformationEx
  • ntdll.dll!NtQueryValueKey
  • ntdll.dll!NtQueryVirtualMemory
  • ntdll.dll!NtQueryVolumeInformationFile
  • ntdll.dll!NtQueryWnfStateData
  • ntdll.dll!NtReadFile
  • ntdll.dll!NtReleaseMutant
  • ntdll.dll!NtReleaseSemaphore
  • ntdll.dll!NtReleaseWorkerFactoryWorker
  • ntdll.dll!NtRequestWaitReplyPort
  • ntdll.dll!NtSetEvent
  • ntdll.dll!NtSetInformationFile
  • ntdll.dll!NtSetInformationProcess
  • ntdll.dll!NtSetInformationThread
  • ntdll.dll!NtSetInformationVirtualMemory
  • ntdll.dll!NtSetInformationWorkerFactory
  • ntdll.dll!NtSubscribeWnfStateChange
  • ntdll.dll!NtTestAlert
  • ntdll.dll!NtTraceControl
  • ntdll.dll!NtUnmapViewOfSection
  • ntdll.dll!NtUnmapViewOfSectionEx
  • ntdll.dll!NtWaitForMultipleObjects
  • ntdll.dll!NtWaitForSingleObject
  • ntdll.dll!NtWaitForWorkViaWorkerFactory
  • ntdll.dll!NtWaitLowEventPair
  • ntdll.dll!NtWriteFile
  • ntdll.dll!NtWriteVirtualMemory
  • UNKNOWN
  • win32u.dll!NtGdiBitBlt
  • win32u.dll!NtGdiCreateBitmap
  • win32u.dll!NtGdiCreateCompatibleDC
  • win32u.dll!NtGdiCreateDIBitmapInternal
  • win32u.dll!NtGdiCreateSolidBrush
  • win32u.dll!NtGdiDeleteObjectApp
  • win32u.dll!NtGdiExtGetObjectW
  • win32u.dll!NtGdiGetDCforBitmap
  • win32u.dll!NtGdiGetDCObject
  • win32u.dll!NtGdiGetDeviceCaps
  • win32u.dll!NtGdiRestoreDC
  • win32u.dll!NtGdiSaveDC
  • win32u.dll!NtGdiSelectBitmap
  • win32u.dll!NtGdiSetDIBitsToDeviceInternal
  • win32u.dll!NtUserBuildHwndList
  • win32u.dll!NtUserCallTwoParam
  • win32u.dll!NtUserCreateEmptyCursorObject
  • win32u.dll!NtUserCreateWindowEx
  • win32u.dll!NtUserDestroyWindow
  • win32u.dll!NtUserFindExistingCursorIcon
  • win32u.dll!NtUserGetAncestor
  • win32u.dll!NtUserGetClassInfoEx
  • win32u.dll!NtUserGetClassName
  • win32u.dll!NtUserGetDC
  • win32u.dll!NtUserGetGUIThreadInfo
  • win32u.dll!NtUserGetIconInfo
  • win32u.dll!NtUserGetIconSize
  • win32u.dll!NtUserGetImeInfoEx
  • win32u.dll!NtUserGetKeyboardLayout
  • win32u.dll!NtUserGetObjectInformation
  • win32u.dll!NtUserGetProcessWindowStation
  • win32u.dll!NtUserGetProp
  • win32u.dll!NtUserGetThreadDesktop
  • win32u.dll!NtUserGetThreadState
  • win32u.dll!NtUserGetWindowCompositionAttribute
  • win32u.dll!NtUserIsNonClientDpiScalingEnabled
  • win32u.dll!NtUserIsTopLevelWindow
  • win32u.dll!NtUserMessageCall
  • win32u.dll!NtUserRegisterClassExWOW
  • win32u.dll!NtUserRegisterWindowMessage
  • win32u.dll!NtUserReleaseDC
  • win32u.dll!NtUserRemoveProp
  • win32u.dll!NtUserSelectPalette

6 additional items are not displayed above.

Process Shell Execute
  • CreateProcess
Process Manipulation Evasion
  • NtUnmapViewOfSection
  • ReadProcessMemory
User Data Access
  • GetComputerNameEx

Shell Command Execution

C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\57cf4c9d32d5056334e68ee3b464dda76057294d_0003291536.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\bbf0098d6cd0807c18940096de1aa0e5ffdad33f_0000471464.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\94d4cc8c94f9005cc347e230d609f2cee4cb7e78_0001235416.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\5b264683e640523611177a104802adcfaeabe6c4_0003501592.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\c35f29a4a6d565815ad60f66d67f30e69a687253_0001230032.,LiQMAxHB
Show More
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\652688a226ba8dfca45251b8d9ba74c53e8df936_0003501080.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\53c27ade709865bcf335a9fffc18ff7e09be745e_0002207256.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\89d61f0d3c6bf98928c5e775524e01b3d47cff04_0000928216.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\1238589ac8478a067bc4e134902bcdcaa66d6962_0001351704.,LiQMAxHB
C:\WINDOWS\SysWOW64\rundll32.exe C:\WINDOWS\system32\rundll32.exe c:\users\user\downloads\5cda75eceb4ab72a4d209d4a66045928832c94c7_0004344996.,LiQMAxHB

Trending

Most Viewed

Loading...