popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Plugin_0703.exe.bak

Emotet Gen1 Generic Malware Malicious Library Antivirus UPX GIF Format PE File Lnk Format OS Processor Check PE32 ZIP Format CAB DLL
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 July 10, 2024, 4:07 p.m. July 10, 2024, 4:09 p.m.
Size 4.8MB
Type PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MS CAB-Installer self-extracting archive
MD5 7fb098ac9cc8d730ac0ea7111805a553
SHA256 ee0f53a93732a97a9ee313f167c06c0f8c9bc044fe78f2e926520b92f9dfcb61
CRC32 610337A2
ssdeep 98304:YwlrM3j/MWbPvP+PpaCdppTctirYpJxPHE7OIGya7j86/rDO98:pSkWbPvPcacTcMrkJtHE7OxH7j862m
Yara
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • Win32_Trojan_Emotet_RL_Gen_Zero - Win32 Trojan Emotet
  • IsPE32 - (no description)
  • CAB_file_format - CAB archive file
  • UPX_Zero - UPX packed file

Name Response Post-Analysis Lookup
No hosts contacted.
IP Address Status Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0
resource name AVI
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2552
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73921000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2628
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2628
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75b71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2628
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73321000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2628
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x729a1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2628
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73301000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2628
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73921000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72831000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x764b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75831000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x73261000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72811000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72801000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x727c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72771000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72761000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x730d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72731000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72691000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72611000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x725e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x725c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x725b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72581000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72531000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72521000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x724c1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72471000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72461000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x721f1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x721e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x721d1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72191000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72171000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72141000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72101000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x720e1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x720b1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72051000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75b71000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71ff1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71fd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71fc1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71fa1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71f61000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71f21000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71ee1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2756
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71e91000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceW

 number_of_free_clusters: 3252019
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0

GetDiskFreeSpaceW

 number_of_free_clusters: 3252019
sectors_per_cluster: 8
bytes_per_sector: 512
root_path: \
total_number_of_clusters: 8362495
1 1 0
name AVI language LANG_CHINESE filetype RIFF (little-endian) data, AVI, 272 x 60, 10.00 fps, video: RLE 8bpp sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0000c968 size 0x00002e1a
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0007f2ec size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0007f2ec size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0007f2ec size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0007f2ec size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0007f2ec size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0007f2ec size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0007f2ec size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0007f2ec size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0007f2ec size 0x00000468
name RT_ICON language LANG_CHINESE filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0007f2ec size 0x00000468
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0007fd50 size 0x000000d2
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0007fd50 size 0x000000d2
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0007fd50 size 0x000000d2
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0007fd50 size 0x000000d2
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0007fd50 size 0x000000d2
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0007fd50 size 0x000000d2
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0008066c size 0x00000132
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0008066c size 0x00000132
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0008066c size 0x00000132
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0008066c size 0x00000132
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0008066c size 0x00000132
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x0008066c size 0x00000132
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x004cd4e0 size 0x00000092
name RT_VERSION language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x004cd574 size 0x00000408
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\NodeManager.exe
file C:\ProgramData\Microsoft\Windows\Start Menu\ÍøÂ绤º½²å¼þ.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\жÔØÍøÂ绤º½²å¼þ.lnk
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Install.exe
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\libeay32.dll
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\ssleay32.dll
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\Uninstall.exe
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\NodeService.exe
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\libcrypto.dll
file C:\Users\test22\AppData\Local\Temp\IXP000.TMP\DuiLib.dll
file C:\ProgramData\Microsoft\Windows\Start Menu\жÔØÍøÂ绤º½²å¼þ.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\ÍøÂ绤º½²å¼þ.lnk
file C:\Program Files (x86)\Ruijie Networks\NodeManager.exe
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: C:\Program Files (x86)\Ruijie Networks\NodeManager.exe
parameters: --NotPortalIntall
filepath: C:\Program Files (x86)\Ruijie Networks\NodeManager.exe
1 1 0
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000124
process_name: mobsync.exe
process_identifier: 2276
1 1 0

Process32NextW

 snapshot_handle: 0x00000124
process_name: pw.exe
process_identifier: 2316
1 1 0

Process32NextW

 snapshot_handle: 0x00000124
process_name: wsqmcons.exe
process_identifier: 2344
1 1 0

Process32NextW

 snapshot_handle: 0x00000124
process_name: taskhost.exe
process_identifier: 2364
1 1 0

Process32NextW

 snapshot_handle: 0x00000124
process_name: Plugin_0703.exe.bak
process_identifier: 2552
1 1 0

Process32NextW

 snapshot_handle: 0x00000124
process_name: schtasks.exe
process_identifier: 2604
1 1 0

Process32NextW

 snapshot_handle: 0x00000124
process_name: conhost.exe
process_identifier: 2612
1 1 0

Process32NextW

 snapshot_handle: 0x00000124
process_name: Install.exe
process_identifier: 2628
1 1 0

Process32NextW

 snapshot_handle: 0x00000158
process_name: NodeManager.exe
process_identifier: 2076
1 1 0
section {u'size_of_data': u'0x004c2000', u'virtual_address': u'0x0000c000', u'entropy': 7.797889420862047, u'name': u'.rsrc', u'virtual_size': u'0x004c2000'} entropy 7.79788942086 description A section with a high entropy has been found
entropy 0.992462823386 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x00000124
process_name: Install.exe
process_identifier: 2628
0 0

Process32NextW

 snapshot_handle: 0x000001ac
process_name: Install.exe
process_identifier: 2628
0 0

Process32NextW

 snapshot_handle: 0x000001b0
process_name: Install.exe
process_identifier: 2628
0 0

Process32NextW

 snapshot_handle: 0x000001b4
process_name: Install.exe
process_identifier: 2628
0 0

Process32NextW

 snapshot_handle: 0x000001b8
process_name: Install.exe
process_identifier: 2628
0 0

Process32NextW

 snapshot_handle: 0x000001bc
process_name: Install.exe
process_identifier: 2628
0 0

Process32NextW

 snapshot_handle: 0x000001c0
process_name: Install.exe
process_identifier: 2628
0 0

Process32NextW

 snapshot_handle: 0x000001c4
process_name: Install.exe
process_identifier: 2628
0 0

Process32NextW

 snapshot_handle: 0x000001c8
process_name: Install.exe
process_identifier: 2628
0 0

Process32NextW

 snapshot_handle: 0x000001cc
process_name: Install.exe
process_identifier: 2628
0 0

Process32NextW

 snapshot_handle: 0x000001d0
process_name: Install.exe
process_identifier: 2628
0 0

Process32NextW

 snapshot_handle: 0x0000015c
process_name: NodeManager.exe
process_identifier: 2076
0 0

Process32NextW

 snapshot_handle: 0x00000160
process_name: NodeManager.exe
process_identifier: 2076
0 0

Process32NextW

 snapshot_handle: 0x00000164
process_name: NodeManager.exe
process_identifier: 2076
0 0

Process32NextW

 snapshot_handle: 0x00000168
process_name: NodeManager.exe
process_identifier: 2076
0 0

Process32NextW

 snapshot_handle: 0x0000016c
process_name: NodeManager.exe
process_identifier: 2076
0 0

Process32NextW

 snapshot_handle: 0x00000170
process_name: NodeManager.exe
process_identifier: 2076
0 0

Process32NextW

 snapshot_handle: 0x00000174
process_name: NodeManager.exe
process_identifier: 2076
0 0

Process32NextW

 snapshot_handle: 0x00000178
process_name: NodeManager.exe
process_identifier: 2076
0 0

Process32NextW

 snapshot_handle: 0x0000017c
process_name: NodeManager.exe
process_identifier: 2076
0 0

Process32NextW

 snapshot_handle: 0x00000180
process_name: NodeManager.exe
process_identifier: 2076
0 0
Time & API Arguments Status Return Repeated

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall
base_handle: 0x80000002
key_handle: 0x0000020c
options: 0
access: 0x0002011f
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ruijieplugin
base_handle: 0x80000002
key_handle: 0x0000020c
options: 0
access: 0x0002011f
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ruijieplugin
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ruijieplugin
base_handle: 0x80000002
key_handle: 0x0000020c
options: 0
access: 0x0002011f
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ruijieplugin
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ruijieplugin
base_handle: 0x80000002
key_handle: 0x0000020c
options: 0
access: 0x0002011f
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ruijieplugin
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ruijieplugin
base_handle: 0x80000002
key_handle: 0x0000020c
options: 0
access: 0x0002011f
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ruijieplugin
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ruijieplugin
base_handle: 0x80000002
key_handle: 0x0000020c
options: 0
access: 0x0002011f
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ruijieplugin
1 0 0

RegOpenKeyExA

 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\ruijieplugin
base_handle: 0x80000002
key_handle: 0x0000020c
options: 0
access: 0x0002011f
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\ruijieplugin
1 0 0
Time & API Arguments Status Return Repeated

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2628
process_handle: 0x0000015c
0 0

NtTerminateProcess

 status_code: 0x00000000
process_identifier: 2628
process_handle: 0x0000015c
1 0 0
cmdline cmd /C "netsh advfirewall firewall add rule name=Plugin_Port_Open profile=any dir=in action=allow protocol=tcp localport=52580
cmdline cmd /C "netsh advfirewall firewall add rule name=Plugin_Port_Open profile=any dir=in action=allow protocol=tcp localport=52570
cmdline netsh advfirewall firewall delete rule name=Plugin_Port_Open
cmdline cmd /C "netsh advfirewall firewall delete rule name=Plugin_Port_Open"
cmdline netsh advfirewall firewall add rule name=Plugin_Port_Open profile=any dir=in action=allow protocol=tcp localport=52570
cmdline netsh advfirewall firewall add rule name=Plugin_Port_Open profile=any dir=in action=allow protocol=tcp localport=52580
service_name NodeService service_path C:\Program Files (x86)\Ruijie Networks\NodeService.exe
cmdline cmd /C "netsh advfirewall firewall add rule name=Plugin_Port_Open profile=any dir=in action=allow protocol=tcp localport=52580
cmdline cmd /C "netsh advfirewall firewall add rule name=Plugin_Port_Open profile=any dir=in action=allow protocol=tcp localport=52570
cmdline netsh advfirewall firewall delete rule name=Plugin_Port_Open
cmdline cmd /C "netsh advfirewall firewall delete rule name=Plugin_Port_Open"
cmdline netsh advfirewall firewall add rule name=Plugin_Port_Open profile=any dir=in action=allow protocol=tcp localport=52570
cmdline netsh advfirewall firewall add rule name=Plugin_Port_Open profile=any dir=in action=allow protocol=tcp localport=52580
Time & API Arguments Status Return Repeated

CreateServiceA

 service_start_name:
start_type: 2
password:
display_name: RJ NodeService Service
filepath: C:\Program Files (x86)\Ruijie Networks\NodeService.exe
service_name: NodeService
filepath_r: C:\Program Files (x86)\Ruijie Networks\NodeService.exe
desired_access: 18
service_handle: 0x00349e10
error_control: 0
service_type: 272
service_manager_handle: 0x00349eb0
1 3448336 0