popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

nldupdater.exe

Gen1 Malicious Library Admin Tool (Sysinternals etc ...) UPX PE File PE32 DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6403_us Jan. 22, 2023, 2:45 p.m. Jan. 22, 2023, 3:22 p.m.
Size 1.3MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 2175488e7dc5276453357f93818e07d7
SHA256 91f87ab3470bff9e8f2d3f74a1ab559fda3ea18a0cf908444acf32edc851a0fe
CRC32 BA993B60
ssdeep 24576:t87k5RU5CO9tgATmW5QYGBOBwD13Myx7aQejEDaSSyk3p:+FT9tmN19QVcS1p
Yara
  • IsPE32 - (no description)
  • PE_Header_Zero - PE File Signature
  • Malicious_Library_Zero - Malicious_Library
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
abcdefghijklmnopqrstuvwxxyzabcdefghijklmnopqrstuvwxyzabcdefghij.com
A 85.184.161.145
85.184.161.145
ping.nolimitdronez.com
A 85.184.161.145
85.184.161.145
IP Address Status Action
164.124.101.2 Active Moloch
85.184.161.145 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 85.184.161.145:80 -> 192.168.56.103:49163 2018959 ET POLICY PE EXE or DLL Windows file download HTTP Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: * daemon not running; starting now at tcp:5037
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: * daemon started successfully
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: List of devices attached
console_handle: 0x00000007
1 1 0
section CODE
section DATA
section BSS
Time & API Arguments Status Return Repeated

__exception__

 stacktrace: 
nldapp+0x1e926 @ 0x41e926
nldapp+0x1e7f9 @ 0x41e7f9
nldapp+0x155b82 @ 0x555b82
nldapp+0x155c89 @ 0x555c89
nldapp+0x1568ef @ 0x5568ef
nldapp+0x72a47 @ 0x472a47
nldapp+0x72727 @ 0x472727
nldapp+0x79e28 @ 0x479e28
nldapp+0x186b78 @ 0x586b78
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1637136
registers.edi: 39780352
registers.eax: 1637136
registers.ebp: 1637216
registers.edx: 0
registers.ebx: 39807544
registers.esi: 39829512
registers.ecx: 7
1 0 0

__exception__

 stacktrace: 
nldapp+0x155e14 @ 0x555e14
nldapp+0x1568ef @ 0x5568ef
nldapp+0x72a47 @ 0x472a47
nldapp+0x72727 @ 0x472727
nldapp+0x79e28 @ 0x479e28
nldapp+0x186b78 @ 0x586b78
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1637272
registers.edi: 5949464
registers.eax: 1637272
registers.ebp: 1637352
registers.edx: 0
registers.ebx: 5594644
registers.esi: 5594644
registers.ecx: 7
1 0 0

__exception__

 stacktrace: 
nldapp+0x155efa @ 0x555efa
nldapp+0x1568ef @ 0x5568ef
nldapp+0x72a47 @ 0x472a47
nldapp+0x72727 @ 0x472727
nldapp+0x79e28 @ 0x479e28
nldapp+0x186b78 @ 0x586b78
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x7559b727
registers.esp: 1637272
registers.edi: 1637424
registers.eax: 1637272
registers.ebp: 1637352
registers.edx: 0
registers.ebx: 5594874
registers.esi: 5594874
registers.ecx: 7
1 0 0
Time & API Arguments Status Return Repeated

bind

 ip_address: 0.0.0.0
socket: 348
port: 0
1 0 0

bind

 ip_address: 127.0.0.1
socket: 712
port: 0
1 0 0

bind

 ip_address: 0.0.0.0
socket: 924
port: 0
1 0 0

bind

 ip_address: 0.0.0.0
socket: 396
port: 0
1 0 0

bind

 ip_address: 0.0.0.0
socket: 396
port: 0
1 0 0

bind

 ip_address: 0.0.0.0
socket: 512
port: 0
1 0 0

bind

 ip_address: 0.0.0.0
socket: 532
port: 0
1 0 0

bind

 ip_address: 0.0.0.0
socket: 532
port: 0
1 0 0

bind

 ip_address: 127.0.0.1
socket: 316
port: 0
1 0 0

listen

 socket: 316
backlog: 2147483647
1 0 0

accept

 ip_address:
socket: 316
port: 0
1 324 0

bind

 ip_address: 127.0.0.1
socket: 308
port: 0
1 0 0

listen

 socket: 308
backlog: 2147483647
1 0 0

accept

 ip_address:
socket: 308
port: 0
1 316 0

bind

 ip_address: 127.0.0.1
socket: 332
port: 0
1 0 0

listen

 socket: 332
backlog: 2147483647
1 0 0

accept

 ip_address:
socket: 332
port: 0
1 340 0

bind

 ip_address: 127.0.0.1
socket: 348
port: 5037
1 0 0

listen

 socket: 348
backlog: 2147483647
1 0 0

accept

 ip_address:
socket: 348
port: 0
1 464 0
suspicious_features POST method with no referer header, HTTP version 1.0 used suspicious_request POST http://abcdefghijklmnopqrstuvwxxyzabcdefghijklmnopqrstuvwxyzabcdefghij.com/
request GET http://abcdefghijklmnopqrstuvwxxyzabcdefghijklmnopqrstuvwxyzabcdefghij.com/appupdate.json
request GET http://abcdefghijklmnopqrstuvwxxyzabcdefghijklmnopqrstuvwxyzabcdefghij.com/downloads/nldapp.exe
request GET http://ping.nolimitdronez.com/
request POST http://abcdefghijklmnopqrstuvwxxyzabcdefghijklmnopqrstuvwxyzabcdefghij.com/
request GET http://abcdefghijklmnopqrstuvwxxyzabcdefghijklmnopqrstuvwxyzabcdefghij.com/scrolltxt.txt
request POST http://abcdefghijklmnopqrstuvwxxyzabcdefghijklmnopqrstuvwxyzabcdefghij.com/
Time & API Arguments Status Return Repeated

NtAllocateVirtualMemory

 process_identifier: 1680
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009c0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x756e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74201000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73fd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d91000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d51000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73d41000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2268
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x009f0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2268
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x748b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2268
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74891000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2268
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x758f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2268
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x756e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2268
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74851000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2268
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74841000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2268
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74221000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2268
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75201000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76971000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x74fc1000
process_handle: 0xffffffff
1 0 0
name RT_ICON language LANG_NEUTRAL filetype dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 33554431, next used block 33554431 sublanguage SUBLANG_ARABIC_OMAN offset 0x00101e54 size 0x00042028
name RT_ICON language LANG_NEUTRAL filetype dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 33554431, next used block 33554431 sublanguage SUBLANG_ARABIC_OMAN offset 0x00101e54 size 0x00042028
name RT_ICON language LANG_NEUTRAL filetype dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 33554431, next used block 33554431 sublanguage SUBLANG_ARABIC_OMAN offset 0x00101e54 size 0x00042028
name RT_ICON language LANG_NEUTRAL filetype dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 33554431, next used block 33554431 sublanguage SUBLANG_ARABIC_OMAN offset 0x00101e54 size 0x00042028
name RT_ICON language LANG_NEUTRAL filetype dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 33554431, next used block 33554431 sublanguage SUBLANG_ARABIC_OMAN offset 0x00101e54 size 0x00042028
name RT_ICON language LANG_NEUTRAL filetype dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 33554431, next used block 33554431 sublanguage SUBLANG_ARABIC_OMAN offset 0x00101e54 size 0x00042028
name RT_GROUP_ICON language LANG_NEUTRAL filetype data sublanguage SUBLANG_ARABIC_OMAN offset 0x0014bcdc size 0x0000005a
file C:\Windows\System32\adb.exe
file C:\Windows\System32\AdbWinUsbApi.dll
file C:\Windows\System32\AdbWinApi.dll
file C:\Users\test22\AppData\Local\Temp\nldapp.exe
file C:\Windows\SysWOW64\adb.exe
file C:\Users\test22\AppData\Local\Temp\nldapp.exe
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000204
process_name: taskhost.exe
process_identifier: 2040
1 1 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: cmd.exe
process_identifier: 156
1 1 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: conhost.exe
process_identifier: 496
1 1 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: SearchProtocolHost.exe
process_identifier: 1076
1 1 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: SearchFilterHost.exe
process_identifier: 1516
1 1 0

Process32NextW

 snapshot_handle: 0x00000204
process_name: pw.exe
process_identifier: 1880
1 1 0

Process32NextW

 snapshot_handle: 0x00000168
process_name: nldapp.exe
process_identifier: 2268
1 1 0

Process32NextW

 snapshot_handle: 0x00000200
process_name: mscorsvw.exe
process_identifier: 2324
1 1 0

Process32NextW

 snapshot_handle: 0x00000200
process_name: svchost.exe
process_identifier: 2352
1 1 0

Process32NextW

 snapshot_handle: 0x00000200
process_name: mscorsvw.exe
process_identifier: 2408
1 1 0

Process32NextW

 snapshot_handle: 0x00000200
process_name: sppsvc.exe
process_identifier: 2452
1 1 0

Process32NextW

 snapshot_handle: 0x00000200
process_name: cmd.exe
process_identifier: 2496
1 1 0

Process32NextW

 snapshot_handle: 0x00000200
process_name: conhost.exe
process_identifier: 2504
1 1 0

Process32NextW

 snapshot_handle: 0x00000200
process_name: pw.exe
process_identifier: 2528
1 1 0
Time & API Arguments Status Return Repeated

recv

 buffer: HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Sat, 21 Jan 2023 16:03:44 GMT Accept-Ranges: bytes ETag: "c788d6efb12dd91:0" Server: Microsoft-IIS/10.0 Date: Sun, 22 Jan 2023 06:19:31 GMT Content-Length: 5758976 MZPÿÿ¸@º´ Í!¸LÍ!This program must be run under Win32 $7PEL^B*àŽ bz?8e€@`X@Ð:,R; $ÕCODElab `DATAÄ!€"f@ÀBSSU°ˆÀ.idata:,Ð.ˆ@À.tls¶À.rdata¶@P.reloc$Õ Ö¸
received: 1024
socket: 924
1 1024 0

recv

 buffer: MZÿÿ¸@𺴠Í!¸LÍ!This program cannot be run in DOS mode. $Ð!Q%”@?v”@?v”@?v8¬v™@?v”@>v@?v8ªv…@?v8¼vÝ@?v8­v•@?v8»v¼@?v8«v•@?v8®v•@?vRich”@?vPEL1¶ËUà!  È8JCà@0.@ðÖ^ŒÊd0 à/@ .textNÇÈ `.data¤àÌ@À.rsrc0Ú@@.relocà@B¾Ö¦ÒÞÒÓ*ÓfӘÓêÓÔPԀ԰ÔØÔüÔ4ՆÕæÕ>Ö^֖ֆÒÔÍæÍöÍÎÎÎ(Î:ÎJÎ\Îp΀ΐΤβÎÀÎÌÎÚÎäÎúÎ ÏÏ*Ï<ÏRÏlτϸÏÆÏÔÏâÏüÏ Ð"Ð<ÐPÐdЀОЪжÐÌÐÞÐêÐôÐÑÑ$Ñ6ÑFѾ͔ͦ͆ÍpÍ`ÍRÍJÍ2ÍÍþÌæÌÖÌÆ̮̞ÏÊѶÑèъÑxÑdÑöÑÒ"ÒBÒfҢѐÌQÃ@,Ã@ÃO@:‚@—¢@1¶ËUXH/H#bad allocationDeleteNoRemoveForceRemoveValBDMS#ÀF\@X@T@P@H@0@@ @‹4@`Á@U0@lÁ@å2@xÁ@„Á@„0@q3@Á@œÁ@¨Á@´Á@ÀÁ@o1@Î7@`Á@U0@F8@5@xÁ@„Á@85@…6@ô7@ØÁ@äÁ@ðÁ@üÁ@•:@`Á@U0@lÁ@ÌÁ@xÁ@„Á@œ9@Â@$=@‡<@—<@§<@°<@=@FÀFAPPIDDeleteNoRemoveForceRemoveValBDMS˜@”@@Œ@ˆ@|@p@h@ /@s>@@Y@N>@csmà “I@SetThreadStackGuaranteekernel32.dllkernelbase.dllRY@@Y@Unknown exceptionCorExitProcessmscoree.dllEncodePointerKERNEL32.DLLKERNELBASE.DLLDecodePointerFlsFreeFlsSetValueFlsGetValueFlsAllocÂp@|n@@Y@:r@bad exception8ð@ˆð@runtime error TLOSS error SING error DOMAIN error R6034 An application has made an attempt to load the C runtime library incorrectly. Please contact the application's support team for more information. R6033 - Attempt to use MSIL code from this assembly during native code initialization This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. R6032 - not enough space for locale information R6031 - Attempt to initialize the CRT more than once. This indicates a bug in your application. R6030 - CRT not initialized R6028 - unable to initialize heap R6027 - not enough space for lowio initialization R6026 - not enough space for stdio initialization R6025 - pure virtual function call R6024 - not enough space for _onexit/atexit table R6019 - unable to open console device R6018 - unexpected heap error R6017 - unexpected multithread
received: 4095
socket: 924
1 4095 0

recv

 buffer: X/DˆS'ÎԍŸ é–#ì Í¿fàa•LüO”-‹ûß-ÓßAfÒfK(&Ê5ƕ'‹Ãã¥(Q´rßH÷ã)ÀZ¬ÜÞ·pÛa~—˜ƒn¾¡ÒôÁúaZ$“.„‘üлðåˆ 0ß:ØQhm.NÆqÓ4†ºp*¶SÚIý‚xCQ‡Fò léfâg|ÀõéÚaÞ±k½FηzS%Tð å®B¤‹0äñðší­÷Ũœv!|XLí•êÜ°/”a²±¿¿ŒJw!Í~ÄP , cÏ¢uùŸn?Õbo,K¦¯úlz˜ {o")&=O8‚7¸ó$B›:ƒMZÿÿ¸@к´ Í!¸LÍ!This program cannot be run in DOS mode. $m2ÝÂ)S³‘)S³‘)S³‘Ï]‘(S³‘ÏA‘+S³‘Ï^‘(S³‘ÏC‘(S³‘Rich)S³‘PELÃ)úVà!  0 @‚s@Å0À<8.textÕ `.rsrc0@@Ã)úV:TTÃ)úV d¤¤RSDS€¦ð—Ã’ðJ’2|¤Í 4®api-ms-win-crt-runtime-l1-1-0.pdbT.rdataT´.rdata$zzzdbgÅ.edata0X.rsrc$01`0 .rsrc$02NøùVfkk8䐎«Íò4Ss”µÖøEgŠ­Ìí )Nn†ŸÈý&Ef·ß'DjªÈè >…ËJn²;a‚²ó2b°ö1YŒÚ C l ™ Ä ê !2!V!Ž!Ç! "P"n"ˆ"¦"Ä"ã"##<#Z#u##¡#½#Ý#ÿ##$D$c$…$©$Ê$ç$%%9%W%p%%¨%Â%ˆÂá )Hgˆ©Êë7\{¢Áà?f–±è:Y|«Ìû=T‰ž¿Úÿg¬ó>_†ç.Qz“ÚXu–Ó"Ir¯ 3 \ … ¶ Û !'!F!o!¶!á!B"g"~"›"º"×"ø"#0#Q#l#‡#œ#¯#Ô#ï#$7$Z$u$ž$½$à$÷$%+%P%g%‚%¡%¸%  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijapi-ms-win-crt-runtime-l1-1-0.dll_Exitucrtbase._Exit__control87_2ucrtbase.__control87_2__doserrnoucrtbase.__doserrno__fpe_flt_roundsucrtbase.__fpe_flt_rounds__fpecodeucrtbase.__fpecode__p___argcucrtbase.__p___argc__p___argvucrtbase.__p_
received: 2919
socket: 924
1 2919 0
section {u'size_of_data': u'0x00019600', u'virtual_address': u'0x000b9000', u'entropy': 7.7363709308930755, u'name': u'DATA', u'virtual_size': u'0x00019508'} entropy 7.73637093089 description A section with a high entropy has been found
Time & API Arguments Status Return Repeated

EnumServicesStatusA

 service_handle: 0x007431a0
service_type: 48
service_status: 3
0 0
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x00000348
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0