Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 12, 2021, 11:03 a.m.	Nov. 12, 2021, 11:06 a.m.

Size	23.5MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`2fa17055cbe751f03a57d8b8ec3c6cd4`
SHA256	`a6c9370b43fdff11eae35f61bc7d8f89ab817685a6157359eaf52496fcc949a2`
CRC32	`0F608FE6`
ssdeep	`393216:ejVFxACaeIi4i3B57+vyYTnrcbshWgQnzlFp1F5x2oWX2u7/:ejTISxknrcbshZUj/7WX2I`
Yara	Malicious_Packer_Zero - Malicious Packer Win32_Trojan_Emotet_2_Zero - Win32 Trojan Emotet PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware OS_Processor_Check_Zero - OS Processor Check IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library UPX_Zero - UPX packed file

uqiwang.exe "C:\Users\test22\AppData\Local\Temp\uqiwang.exe"
2440
- bcdedit.exe C:\windows\sysnative\bcdedit.exe
  2528
- bcdedit.exe C:\windows\sysnative\bcdedit.exe /enum {BBA53588-9FEC-4BE1-9FF8-51BF7E088918}
  2588
- MiniTPFw.exe "C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\MiniTPFw.exe"
  2840
  - ThunderFW.exe "C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\ThunderFW.exe" MiniThunderPlatform2021-11-1217:23:59 "C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\MiniThunderPlatform.exe"
    2992
- MiniThunderPlatform.exe "C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\MiniThunderPlatform.exe" -StartTP
  2912
- update.exe "C:\Users\test22\Documents\YunQiShiUSBDrive\update.exe" 4FB7D25268E0F658802D8CA493C76FC9B24AC78C469520FCCD2BF6CB7E35B270BED50E2600463B6EE69C35FA2008A41EAF0EAB8968667939D3ED1E6EC3C3D5C27A2C97F8B0DB381B9A9A2CD6C994C848F7E57C82CF93E05E21B2B7729FDD26E29806D5D8B67BD066EA41908218A47771E3EEADEB3C33EEEA8198C76F309C79EB59CB7011D6CA67820901496CD331EC7241162DA82D773F6B8B37B799C286A46CF86761CDDB2754E2B549FE965F43FE893766A51AB4788DA3811517F9C4E477E308BA8BB78C7C740CF3196DA35496895E5C438F16EC4A8FF5647E22013C053EA2D9D97401BDF0CDA8
  2224
- bcdedit.exe C:\windows\sysnative\bcdedit.exe
  2532
- bcdedit.exe C:\windows\sysnative\bcdedit.exe /enum {BBA53588-9FEC-4BE1-9FF8-51BF7E088918}
  2644
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
zhu.wuyouxitong.com	A 120.76.246.204	120.76.246.204
tj.driverzj.com	A 47.115.157.13	47.115.157.13
hubstat.hz.sandai.net	CNAME cnchubstat.sandai.net CNAME hubstat.sandai.net A 140.206.225.232 A 140.206.225.136	140.206.225.136
hub5pn.hz.sandai.net	A 58.144.251.1 A 157.255.225.49 A 211.91.242.37 A 118.212.146.21 A 211.91.242.38 CNAME hub5pn.sandai.net A 153.3.232.174 A 111.206.4.176 A 153.3.232.175 A 157.255.225.53 CNAME cnc.hub5pn.sandai.net A 118.212.146.20 A 111.206.4.164 A 58.144.251.2	157.255.225.53
imhub5pr.hz.sandai.net	A 127.0.0.1	127.0.0.1
score.phub.hz.sandai.net	A 127.0.0.1	127.0.0.1
hub5u.hz.sandai.net	A 47.92.75.245 CNAME bgphub5u.sandai.net A 39.100.9.39 CNAME hub5u.sandai.net A 39.98.57.143	47.92.75.245
relay.phub.hz.sandai.net	A 127.0.0.1	127.0.0.1
hub5pr.hz.sandai.net	A 47.92.39.6 A 47.92.125.145 CNAME hub5pr.sandai.net A 47.92.171.207 A 47.92.169.85 A 47.92.194.216 A 47.92.195.246 CNAME bgphub5pr.sandai.net	47.92.195.246
hub5pnc.hz.sandai.net	A 47.92.99.221 CNAME hub5pnc.sandai.net A 47.92.100.53 CNAME cnc.hub5pnc.sandai.net	47.92.100.53
pmap.hz.sandai.net	A 47.97.7.140	47.97.7.140
hub5c.hz.sandai.net	CNAME cncidx.m.hub.sandai.net A 112.64.218.154 A 116.132.219.184 CNAME cnchub5sr.sandai.net A 112.64.218.40 A 112.64.218.64 A 116.132.218.191 A 116.132.223.136 CNAME hub4t.sandai.net	112.64.218.64

IP Address	Status	Action
116.132.219.184	Active	Moloch
120.76.246.204	Active	Moloch
140.206.225.232	Active	Moloch
157.255.225.49	Active	Moloch
164.124.101.2	Active	Moloch
39.100.9.39	Active	Moloch
47.115.157.13	Active	Moloch
47.92.195.246	Active	Moloch
47.92.99.221	Active	Moloch
47.97.7.140	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 12, 2021, 11:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 12, 2021, 11:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 12, 2021, 11:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 12, 2021, 11:03 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 12, 2021, 11:04 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 12, 2021, 10:56 a.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (5 events)

Time & API	Arguments	Status	Return
WriteConsoleA Nov. 12, 2021, 11:04 a.m.	buffer: pid=2440;app_id=yqsxtzjds_udisk;main_file_name=C:\Users\test22\AppData\Local\Temp\uqiwang.exe;ver=12.6.48.1850;update_style=f;notify_wnd=003a0028;notify_msg=2032;updated_run=1;server=zhu.wuyouxitong.com:8091\|bei.wuyouxitong.com:8091 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 12, 2021, 11:04 a.m.	buffer: Á¬½Ó·þÎñÆ÷ 120.76.246.204:8091 ³É¹¦¡£ console_handle: 0x0000000b	1	1
WriteConsoleA Nov. 12, 2021, 11:04 a.m.	buffer: ´Ó·þÎñÆ÷»ñÈ¡µ½¼ÓÃÜÃÜÔ¿£ºnlMHS6c6ss console_handle: 0x0000000b	1	1
WriteConsoleA Nov. 12, 2021, 11:04 a.m.	buffer: Ô¶³Ì°æ±¾£º0.0.0.0£»±¾µØ°æ±¾£º12.6.48.1850 console_handle: 0x00000007	1	1
WriteConsoleA Nov. 12, 2021, 11:04 a.m.	buffer: ÒÑ¾ÊÇ×îÐÂµÄ°æ±¾ console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 12, 2021, 11:03 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.vmp0

The file contains an unknown PE resource name possibly indicative of a packer (5 events)

resource name	FILE
resource name	GIF
resource name	PNG
resource name	STYLE_XML
resource name	None

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://47.97.7.140:80/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://116.132.219.184:80/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://47.92.195.246:80/
suspicious_features	POST method with no referer header, POST method with no useragent header, Connection to IP address	suspicious_request	POST http://140.206.225.232:80/

Performs some HTTP requests (4 events)

request	POST http://47.97.7.140:80/
request	POST http://116.132.219.184:80/
request	POST http://47.92.195.246:80/
request	POST http://140.206.225.232:80/

Sends data using the HTTP POST Method (4 events)

request	POST http://47.97.7.140:80/
request	POST http://116.132.219.184:80/
request	POST http://47.92.195.246:80/
request	POST http://140.206.225.232:80/

Communication to multiple IPs on high port numbers possibly indicative of a peer-to-peer (P2P) or non-standard command and control protocol (5 events)

ip	120.76.246.204
ip	47.115.157.13
ip	157.255.225.49
ip	39.100.9.39
ip	47.92.99.221

Allocates read-write-execute memory (usually to unpack itself) (8 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 12, 2021, 11:03 a.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 753664 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71c43000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 11:03 a.m.	process_identifier: 2440 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 458752 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71bb1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 12, 2021, 10:58 a.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000004db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 12, 2021, 11:03 a.m.	process_identifier: 2912 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fff0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 11:03 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76897000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 11:03 a.m.	process_identifier: 2912 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76860000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 11:04 a.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 753664 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71c43000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 12, 2021, 11:04 a.m.	process_identifier: 2224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 458752 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71bb1000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

uqiwang.exe tried to sleep 365 seconds, actually delayed analysis time by 365 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (15 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceExW Nov. 12, 2021, 11:03 a.m.	total_number_of_free_bytes: 10210553856 free_bytes_available: 10210553856 root_path: C: total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 12, 2021, 11:04 a.m.	total_number_of_free_bytes: 75309056 free_bytes_available: 75309056 root_path: \\?\Volume{c2d901c3-0706-11e8-912e-806e6f6e6963}\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 12, 2021, 11:04 a.m.	total_number_of_free_bytes: 10155327488 free_bytes_available: 10155327488 root_path: \\?\Volume{c2d901c4-0706-11e8-912e-806e6f6e6963}\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 12, 2021, 11:04 a.m.	total_number_of_free_bytes: 10155327488 free_bytes_available: 10155327488 root_path: \\?\Volume{c2d901c7-0706-11e8-912e-806e6f6e6963}\ total_number_of_bytes: 34252779520		0
GetDiskFreeSpaceExW Nov. 12, 2021, 11:05 a.m.	total_number_of_free_bytes: 75309056 free_bytes_available: 75309056 root_path: \\?\Volume{c2d901c3-0706-11e8-912e-806e6f6e6963}\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 12, 2021, 11:05 a.m.	total_number_of_free_bytes: 10157125632 free_bytes_available: 10157125632 root_path: \\?\Volume{c2d901c4-0706-11e8-912e-806e6f6e6963}\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 12, 2021, 11:05 a.m.	total_number_of_free_bytes: 10157125632 free_bytes_available: 10157125632 root_path: \\?\Volume{c2d901c7-0706-11e8-912e-806e6f6e6963}\ total_number_of_bytes: 34252779520		0
GetDiskFreeSpaceExW Nov. 12, 2021, 11:05 a.m.	total_number_of_free_bytes: 75309056 free_bytes_available: 75309056 root_path: \\?\Volume{c2d901c3-0706-11e8-912e-806e6f6e6963}\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 12, 2021, 11:05 a.m.	total_number_of_free_bytes: 10155311104 free_bytes_available: 10155311104 root_path: \\?\Volume{c2d901c4-0706-11e8-912e-806e6f6e6963}\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 12, 2021, 11:05 a.m.	total_number_of_free_bytes: 10155311104 free_bytes_available: 10155311104 root_path: \\?\Volume{c2d901c7-0706-11e8-912e-806e6f6e6963}\ total_number_of_bytes: 34252779520		0
GetDiskFreeSpaceExW Nov. 12, 2021, 11:05 a.m.	total_number_of_free_bytes: 75309056 free_bytes_available: 75309056 root_path: \\?\Volume{c2d901c3-0706-11e8-912e-806e6f6e6963}\ total_number_of_bytes: 104853504	1	1
GetDiskFreeSpaceExW Nov. 12, 2021, 11:05 a.m.	total_number_of_free_bytes: 10155311104 free_bytes_available: 10155311104 root_path: \\?\Volume{c2d901c4-0706-11e8-912e-806e6f6e6963}\ total_number_of_bytes: 34252779520	1	1
GetDiskFreeSpaceExW Nov. 12, 2021, 11:05 a.m.	total_number_of_free_bytes: 10155311104 free_bytes_available: 10155311104 root_path: \\?\Volume{c2d901c7-0706-11e8-912e-806e6f6e6963}\ total_number_of_bytes: 34252779520		0
GetDiskFreeSpaceExW Nov. 12, 2021, 10:56 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 10155577344 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1
GetDiskFreeSpaceExW Nov. 12, 2021, 10:58 a.m.	total_number_of_free_bytes: 0 free_bytes_available: 10157125632 root_path: C:\Users\test22\AppData\Local\Microsoft\Windows\Explorer total_number_of_bytes: 0	1	1

Foreign language identified in PE resource (50 out of 784 events)

name

FILE

language

LANG_CHINESE

filetype

PE32 executable (DLL) (GUI) Intel 80386, for MS Windows

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x004c0c28

size

0x01128400

name

GIF

language

LANG_CHINESE

filetype

GIF image data, version 89a, 200 x 170

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x015e9028

size

0x0001b0f3

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

name

PNG

language

LANG_CHINESE

filetype

PNG image data, 16 x 16, 8-bit/color RGBA, interlaced

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x01727c9c

size

0x000003fb

Creates executable files on the filesystem (41 events)

file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\bootice\BOOTICE.EXE
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\qemu\SDL.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\uninstall.exe
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\qemu\libpdcurses.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\pe\PECmd.exe
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\dos\bootsect.exe
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\oscdimg\etfsboot.com
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Dependency\InsNet.dll
file	C:\Users\Public\Desktop\云骑士装机大师(U盘版).lnk
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\XLBugHandler.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\atl71.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\MiniTPFw.exe
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\qemu\myqemu.exe
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\cpio\libiconv2.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\msvcp71.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\xldl.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\fnt\mkblfont.exe
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\fbinst\fbinst.exe
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\zlib1.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\dos\bcdedit.exe
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Dependency\Zlib.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\minizip.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\MiniThunderPlatform.exe
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\gdisk32\gdisk32.exe
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\cpio\cpio.exe
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\dos\bcdboot.exe
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\fnt\freetype6.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\ConfigRes.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\qemu\libz-1.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\dl_peer_id.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\ThunderFW.exe
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\download_engine.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\qemu\libssp-0.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\cpio\libintl3.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\oscdimg\oscdimg.exe
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\msvcr71.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\fnt\libiconv2.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\fnt\zlib1.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Dependency\Propsys.dll
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\XLBugReport.exe
file	C:\Users\test22\Documents\YunQiShiUSBDrive\update.exe

Creates a shortcut to an executable file (4 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\云骑士装机大师(U盘版)\卸载.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\云骑士装机大师(U盘版)\云骑士装机大师(U盘版).lnk
file	C:\Users\Public\Desktop\云骑士装机大师(U盘版).lnk
file	C:\Users\test22\Desktop\云骑士装机大师(U盘版).lnk

Creates a suspicious process (2 events)

cmdline	C:\windows\sysnative\bcdedit.exe /enum {BBA53588-9FEC-4BE1-9FF8-51BF7E088918}
cmdline	C:\windows\sysnative\bcdedit.exe

Drops a binary and executes it (3 events)

file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\MiniTPFw.exe
file	C:\Users\test22\Documents\YunQiShiUSBDrive\update.exe
file	C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\ThunderFW.exe

Executes one or more WMI queries (9 events)

wmi	select * from Win32_VideoController
wmi	select * from Win32_OperatingSystem
wmi	select * from Win32_PhysicalMemory
wmi	select * from Win32_ComputerSystem
wmi	select * from Win32_SystemEnclosure
wmi	select * from win32_DiskDrive
wmi	select * from Win32_DesktopMonitor
wmi	select * from win32_baseboard
wmi	select * from Win32_NetworkAdapter WHERE NetConnectionID != null

A process created a hidden window (3 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Nov. 12, 2021, 11:03 a.m.	show_type: 0 filepath_r: MiniTPFw.exe parameters: filepath: MiniTPFw.exe	1	1
ShellExecuteExW Nov. 12, 2021, 11:04 a.m.	show_type: 0 filepath_r: update.exe parameters: 4FB7D25268E0F658802D8CA493C76FC9B24AC78C469520FCCD2BF6CB7E35B270BED50E2600463B6EE69C35FA2008A41EAF0EAB8968667939D3ED1E6EC3C3D5C27A2C97F8B0DB381B9A9A2CD6C994C848F7E57C82CF93E05E21B2B7729FDD26E29806D5D8B67BD066EA41908218A47771E3EEADEB3C33EEEA8198C76F309C79EB59CB7011D6CA67820901496CD331EC7241162DA82D773F6B8B37B799C286A46CF86761CDDB2754E2B549FE965F43FE893766A51AB4788DA3811517F9C4E477E308BA8BB78C7C740CF3196DA35496895E5C438F16EC4A8FF5647E22013C053EA2D9D97401BDF0CDA8 filepath: update.exe	1	1
ShellExecuteExW Nov. 12, 2021, 11:03 a.m.	show_type: 0 filepath_r: ThunderFW.exe parameters: MiniThunderPlatform2021-11-1217:23:59 "C:\Users\test22\Documents\YunQiShiUSBDrive\Work\Tools\download\download\MiniThunderPlatform.exe" filepath: ThunderFW.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (38 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: smss.exe process_identifier: 232	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: csrss.exe process_identifier: 312	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: wininit.exe process_identifier: 340	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: csrss.exe process_identifier: 364	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: winlogon.exe process_identifier: 404	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: services.exe process_identifier: 440	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: lsass.exe process_identifier: 456	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: lsm.exe process_identifier: 464	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: svchost.exe process_identifier: 576	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: svchost.exe process_identifier: 652	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: svchost.exe process_identifier: 720	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: svchost.exe process_identifier: 796	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: svchost.exe process_identifier: 844	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: audiodg.exe process_identifier: 924	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: svchost.exe process_identifier: 992	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: svchost.exe process_identifier: 348	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: spoolsv.exe process_identifier: 1064	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: svchost.exe process_identifier: 1120	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: taskhost.exe process_identifier: 1132	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: dwm.exe process_identifier: 1208	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: explorer.exe process_identifier: 1236	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: svchost.exe process_identifier: 1332	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: svchost.exe process_identifier: 1728	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: pw.exe process_identifier: 1860	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: SearchIndexer.exe process_identifier: 1904	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: SearchProtocolHost.exe process_identifier: 744	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: SearchFilterHost.exe process_identifier: 1984	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: SearchProtocolHost.exe process_identifier: 1876	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: mobsync.exe process_identifier: 1592	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: pw.exe process_identifier: 2084	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: wsqmcons.exe process_identifier: 2128	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: sdclt.exe process_identifier: 2172	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: taskhost.exe process_identifier: 2252	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: cmd.exe process_identifier: 2332	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: conhost.exe process_identifier: 2340	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: pw.exe process_identifier: 2400	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x000001fc process_name: uqiwang.exe process_identifier: 2440	1	1
Process32NextW Nov. 12, 2021, 11:03 a.m.	snapshot_handle: 0x00000344 process_name: dllhost.exe process_identifier: 2768	1	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Nov. 12, 2021, 11:04 a.m.	flags: 1158 family: 0	1	0	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x012d8e00', u'virtual_address': u'0x004ac000', u'entropy': 7.971870441736988, u'name': u'.rsrc', u'virtual_size': u'0x012d8c18'}

entropy

7.97187044174

description

A section with a high entropy has been found

entropy

0.803325771608

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (29 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:03 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:04 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:04 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:04 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:04 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:04 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:04 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:04 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:04 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:04 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Nov. 12, 2021, 11:04 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (21 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Run a KeyLogger	rule	KeyLogger
description	Escalate priviledges	rule	Escalate_priviledges
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (4 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW Nov. 12, 2021, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x0000028c options: 0 access: 0x000f013f regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Nov. 12, 2021, 11:03 a.m.	regkey_r: {06FDF43F-E581-4834-ADDF-02FDA1E63F40} base_handle: 0x0000028c key_handle: 0x00000000 options: 0 access: 0x000f013f regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{06FDF43F-E581-4834-ADDF-02FDA1E63F40}		2
RegOpenKeyExW Nov. 12, 2021, 11:03 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall base_handle: 0x80000002 key_handle: 0x00000284 options: 0 access: 0x000f013f regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall	1	0
RegOpenKeyExW Nov. 12, 2021, 11:03 a.m.	regkey_r: {06FDF43F-E581-4834-ADDF-02FDA1E63F40} base_handle: 0x00000284 key_handle: 0x00000290 options: 0 access: 0x000f013f regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{06FDF43F-E581-4834-ADDF-02FDA1E63F40}	1	0

Terminates another process (16 events)

Time & API	Arguments	Return
NtTerminateProcess Nov. 12, 2021, 11:03 a.m.	status_code: 0x00000000 process_identifier: 0 process_handle: 0x00000280	0
NtTerminateProcess Nov. 12, 2021, 11:03 a.m.	status_code: 0x00000000 process_identifier: 0 process_handle: 0x00000280	3221225480
NtTerminateProcess Nov. 12, 2021, 11:03 a.m.	status_code: 0x00000000 process_identifier: 2528 process_handle: 0x0000027c	0
NtTerminateProcess Nov. 12, 2021, 11:03 a.m.	status_code: 0x00000000 process_identifier: 2528 process_handle: 0x0000027c	3221225738
NtTerminateProcess Nov. 12, 2021, 11:03 a.m.	status_code: 0x00000000 process_identifier: 0 process_handle: 0x00000288	0
NtTerminateProcess Nov. 12, 2021, 11:03 a.m.	status_code: 0x00000000 process_identifier: 0 process_handle: 0x00000288	3221225480
NtTerminateProcess Nov. 12, 2021, 11:03 a.m.	status_code: 0x00000000 process_identifier: 2588 process_handle: 0x00000280	0
NtTerminateProcess Nov. 12, 2021, 11:03 a.m.	status_code: 0x00000000 process_identifier: 2588 process_handle: 0x00000280	3221225738
NtTerminateProcess Nov. 12, 2021, 11:04 a.m.	status_code: 0x00000000 process_identifier: 0 process_handle: 0x00000278	0
NtTerminateProcess Nov. 12, 2021, 11:04 a.m.	status_code: 0x00000000 process_identifier: 0 process_handle: 0x00000278	3221225480
NtTerminateProcess Nov. 12, 2021, 11:04 a.m.	status_code: 0x00000000 process_identifier: 2532 process_handle: 0x000004c4	0
NtTerminateProcess Nov. 12, 2021, 11:04 a.m.	status_code: 0x00000000 process_identifier: 2532 process_handle: 0x000004c4	3221225738
NtTerminateProcess Nov. 12, 2021, 11:04 a.m.	status_code: 0x00000000 process_identifier: 0 process_handle: 0x0000058c	0
NtTerminateProcess Nov. 12, 2021, 11:04 a.m.	status_code: 0x00000000 process_identifier: 0 process_handle: 0x0000058c	3221225480
NtTerminateProcess Nov. 12, 2021, 11:04 a.m.	status_code: 0x00000000 process_identifier: 2644 process_handle: 0x00000278	0
NtTerminateProcess Nov. 12, 2021, 11:04 a.m.	status_code: 0x00000000 process_identifier: 2644 process_handle: 0x00000278	3221225738

The executable is likely packed with VMProtect (1 event)

section

.vmp0

description

Section name indicates VMProtect

Executes one or more WMI queries which can be used to identify virtual machines (2 events)

wmi	select * from Win32_ComputerSystem
wmi	select * from Win32_PhysicalMemory

Deletes executed files from disk (1 event)

file	C:\Users\test22\Documents\YunQiShiUSBDrive\update.exe

Queries information on disks, possibly for anti-virtualization (6 events)

Time & API	Arguments	Status	Return
NtCreateFile Nov. 12, 2021, 11:03 a.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x00000274 filepath: \??\PhysicalDrive0 desired_access: 0x80100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 1 (FILE_OPENED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0
NtCreateFile Nov. 12, 2021, 11:03 a.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x00000274 filepath: \??\PhysicalDrive0 desired_access: 0x80100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 1 (FILE_OPENED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0
NtCreateFile Nov. 12, 2021, 11:04 a.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x00000560 filepath: \??\PhysicalDrive0 desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 1 (FILE_OPENED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0
NtCreateFile Nov. 12, 2021, 11:04 a.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x00000560 filepath: \??\PhysicalDrive0 desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 1 (FILE_OPENED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0
NtCreateFile Nov. 12, 2021, 11:04 a.m.	create_disposition: 1 (FILE_OPEN) file_handle: 0x00000560 filepath: \??\PhysicalDrive0 desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 0 () filepath_r: \??\PhysicalDrive0 create_options: 96 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT) status_info: 1 (FILE_OPENED) share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	1	0
DeviceIoControl Nov. 12, 2021, 11:04 a.m.	input_buffer: ìæ control_code: 2954240 () device_handle: 0x00000540 output_buffer: (§	1	1

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Gen:Variant.Application.Ursu.936182
Cybereason	malicious.5cbe75
Arcabit	Trojan.Application.Ursu.DE48F6
Cyren	W32/Trojan.HCVX-1071
APEX	Malicious
Paloalto	generic.ml
BitDefender	Gen:Variant.Application.Ursu.936182
Avast	Win32:TrojanX-gen [Trj]
McAfee-GW-Edition	Artemis
Emsisoft	Gen:Variant.Application.Ursu.936182 (B)
Webroot	W32.Trojan.Gen
GData	Gen:Variant.Application.Ursu.936182
McAfee	Artemis!2FA17055CBE7
MAX	malware (ai score=71)
Rising	Malware.Heuristic!ET#79% (RDMK:cmRtazoBoUbMjPfl2fAL5jRRUXuB)
eGambit	Unsafe.AI_Score_100%
AVG	Win32:TrojanX-gen [Trj]

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2440 resumed a thread in remote process 2840
Process injection	Process 2440 resumed a thread in remote process 2224
NtResumeThread Nov. 12, 2021, 11:03 a.m.	thread_handle: 0x000003f8 suspend_count: 1 process_identifier: 2840	1	0	0
NtResumeThread Nov. 12, 2021, 11:04 a.m.	thread_handle: 0x0000056c suspend_count: 1 process_identifier: 2224	1	0	0

uqiwang.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All