Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 24, 2021, 9:14 a.m.	May 24, 2021, 9:17 a.m.

Size	1.2MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`9d24f3afa9e996bb1d87fbf12263c53f`
SHA256	`379a4afe5d418429ba1bb2e484a0672137325262f55473d007e72ebe4879a036`
CRC32	`504D4694`
ssdeep	`24576:54J2QS/Mo6TVg2UldBeAGNI5blPIZgibbtSBTbfj2ZSUWSej/Qde:54wQSkhT5UPEMqtq72Z1erQde`
Yara	PE_Header_Zero - PE File Signature IsPE32 - (no description) Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet

wnspxzq@_27899.exe "C:\Users\test22\AppData\Local\Temp\wnspxzq@_27899.exe"
112

Name	Response	Post-Analysis Lookup
download.xp666.com	A 58.215.155.238 A 58.215.155.239 A 58.215.155.248 A 58.215.155.241 A 58.215.155.240 A 58.215.155.243 A 58.215.155.242 A 58.215.155.244 CNAME download.xp666.com.w.kunlunca.com	58.215.155.241
api.xp666.com	A 203.107.36.186	203.107.36.186

IP Address	Status	Action
164.124.101.2	Active	Moloch
203.107.36.186	Active	Moloch
58.215.155.240	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

TESTDATA

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (5 events)

request	GET http://api.xp666.com/setup_api.php?softid=27899
request	GET http://download.xp666.com/dtazq/cof/cfg.7z
request	GET http://download.xp666.com/dtazq/getlist
request	GET http://download.xp666.com/dtazq/wb
request	GET http://download.xp666.com/dtazq/dtico.zip

Allocates read-write-execute memory (usually to unpack itself) (2 events)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 24, 2021, 9:14 a.m.	process_identifier: 112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1	0	0
NtAllocateVirtualMemory May 24, 2021, 9:14 a.m.	process_identifier: 112 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00890000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0	0

Foreign language identified in PE resource (1 event)

name

TESTDATA

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00396960

size

0x0000002a

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (11 events)

Time & API	Arguments	Status	Return
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000020c process_name: audiodg.exe process_identifier: 892	1	1
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000020c process_name: WmiPrvSE.exe process_identifier: 1916	1	1
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000020c process_name: pw.exe process_identifier: 2816	1	1
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000020c process_name: SearchIndexer.exe process_identifier: 2940	1	1
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000020c process_name: SearchProtocolHost.exe process_identifier: 1480	1	1
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000020c process_name: SearchFilterHost.exe process_identifier: 3040	1	1
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000020c process_name: SearchProtocolHost.exe process_identifier: 2120	1	1
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000020c process_name: mobsync.exe process_identifier: 844	1	1
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000020c process_name: pw.exe process_identifier: 2360	1	1
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000020c process_name: taskhost.exe process_identifier: 2832	1	1
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000020c process_name: wnspxzq@_27899.exe process_identifier: 112	1	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0011f800', u'virtual_address': u'0x0033c000', u'entropy': 7.936288581749602, u'name': u'UPX1', u'virtual_size': u'0x00120000'}

entropy

7.93628858175

description

A section with a high entropy has been found

entropy

0.973338975878

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 137 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000020c process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000218 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000021c process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000220 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000224 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000228 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000022c process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000230 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000234 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000238 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000023c process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000240 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000244 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000248 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000024c process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000250 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000254 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000258 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000025c process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000260 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000264 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000268 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000026c process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000270 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000274 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000278 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000027c process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000280 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000284 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000288 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000028c process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000290 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000294 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x00000298 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x0000029c process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x000002a0 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x000002a4 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x000002a8 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x000002ac process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x000002b0 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x000002b4 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x000002b8 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x000002bc process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x000002c0 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x000002c4 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x000002c8 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x000002cc process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x000002d0 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x000002d4 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0
Process32NextW May 24, 2021, 9:14 a.m.	snapshot_handle: 0x000002d8 process_name: wnspxzq@_27899.exe process_identifier: 112		0	0

Queries for potentially installed applications (28 events)

Time & API	Arguments	Return
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: software\microsoft\windows\currentversion\uninstall\2345PCSafe base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020209 regkey: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\2345PCSafe	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: software\microsoft\windows\currentversion\uninstall\2345PCSafe base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\2345PCSafe	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: software\microsoft\windows\currentversion\uninstall\2345Explorer base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020209 regkey: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\2345Explorer	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: software\microsoft\windows\currentversion\uninstall\2345Explorer base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\2345Explorer	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileGamePC base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020209 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileGamePC	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileGamePC base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileGamePC	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HuyaClient base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020209 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HuyaClient	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HuyaClient base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HuyaClient	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: software\microsoft\windows\currentversion\uninstall\KwMusic7 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020209 regkey: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\KwMusic7	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: software\microsoft\windows\currentversion\uninstall\KwMusic7 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\KwMusic7	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\KPlayer base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020209 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\KPlayer	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\KPlayer base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00020109 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\KPlayer	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: software\microsoft\windows\currentversion\uninstall\FunAccelerator base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020209 regkey: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\FunAccelerator	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: software\microsoft\windows\currentversion\uninstall\FunAccelerator base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\FunAccelerator	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: software\microsoft\windows\currentversion\uninstall\酷狗音乐 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020209 regkey: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\酷狗音乐	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: software\microsoft\windows\currentversion\uninstall\酷狗音乐 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\酷狗音乐	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: software\microsoft\windows\currentversion\uninstall\2345Pinyin base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020209 regkey: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\2345Pinyin	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: software\microsoft\windows\currentversion\uninstall\2345Pinyin base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\2345Pinyin	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B68066D6-D1CB-4794-93E0-D7A4D3AC7FC1}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020209 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B68066D6-D1CB-4794-93E0-D7A4D3AC7FC1}_is1	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B68066D6-D1CB-4794-93E0-D7A4D3AC7FC1}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B68066D6-D1CB-4794-93E0-D7A4D3AC7FC1}_is1	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{85A1055C-CA42-CE34-D11C-D911C052CB3E}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020209 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{85A1055C-CA42-CE34-D11C-D911C052CB3E}_is1	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{85A1055C-CA42-CE34-D11C-D911C052CB3E}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{85A1055C-CA42-CE34-D11C-D911C052CB3E}_is1	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{45D36763-347B-4320-A41B-AC40663617E3}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020209 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{45D36763-347B-4320-A41B-AC40663617E3}_is1	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{45D36763-347B-4320-A41B-AC40663617E3}_is1 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{45D36763-347B-4320-A41B-AC40663617E3}_is1	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZHGameBox base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020209 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZHGameBox	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZHGameBox base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZHGameBox	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\血饮传说 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020209 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\血饮传说	2
RegOpenKeyExW May 24, 2021, 9:14 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\血饮传说 base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020109 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\血饮传说	2

The executable is compressed using UPX (2 events)

section	UPX0				description	Section name indicates UPX
section	UPX1				description	Section name indicates UPX

Generates some ICMP traffic

File has been identified by 31 AntiVirus engines on VirusTotal as malicious (31 events)

MicroWorld-eScan	Gen:Variant.Zusy.382834
FireEye	Gen:Variant.Zusy.382834
McAfee	Artemis!9D24F3AFA9E9
Cylance	Unsafe
Sangfor	Trojan.Win32.Wacatac.B
K7AntiVirus	Trojan ( 005765551 )
K7GW	Trojan ( 005765551 )
Symantec	Trojan.Gen.MBT
ESET-NOD32	a variant of Win32/Duote.A
APEX	Malicious
BitDefender	Gen:Variant.Zusy.382834
Avast	Win32:Trojan-gen
Rising	Trojan.Duote!8.11613 (TFE:dGZlOgVvnaLNC0yWXw)
Ad-Aware	Gen:Variant.Zusy.382834
Sophos	Mal/Generic-S
VIPRE	Trojan.Win32.Generic!BT
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Gen:Variant.Zusy.382834 (B)
eGambit	Unsafe.AI_Score_98%
Avira	TR/Dldr.Delphi.Gen4
Microsoft	Trojan:Win32/Tiggre!rfn
GData	Gen:Variant.Zusy.382834
Cynet	Malicious (score: 99)
ALYac	Gen:Variant.Zusy.382834
MAX	malware (ai score=100)
VBA32	TScope.Trojan.Delf
TrendMicro-HouseCall	TROJ_GEN.R002H0CEI21
Ikarus	Trojan.Win32.Duote
Fortinet	W32/Duote.A!tr
AVG	Win32:Trojan-gen
CrowdStrike	win/malicious_confidence_100% (D)

wnspxzq@_27899.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All