popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

Update.exe

Emotet Generic Malware Malicious Library ASPack UPX ftp PE File dll OS Processor Check PE32 DLL DllRegisterServer
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6401 Aug. 4, 2024, 1:34 p.m. Aug. 4, 2024, 2:03 p.m.
Size 2.8MB
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 74ab75d72b7032670f1dc2ef43da440a
SHA256 4086c7d83c805c3eb49c785b927d587ee501dd70d41db4bd20efabbbee49f6f1
CRC32 32EA01DE
ssdeep 49152:H6BWGwSYAkGqJm6zh0fzxQyye88d3iOnpCcyH69ReTNAxoXBRrt:yFqJ9hOea8PXa8YoXBRrt
Yara
  • ftp_command - ftp command
  • DllRegisterServer_Zero - execute regsvr32.exe
  • Malicious_Library_Zero - Malicious_Library
  • PE_Header_Zero - PE File Signature
  • ASPack_Zero - ASPack packed file
  • IsPE32 - (no description)
  • UPX_Zero - UPX packed file
  • Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet
  • Generic_Malware_Zero - Generic Malware
  • OS_Processor_Check_Zero - OS Processor Check

Name Response Post-Analysis Lookup
api.znhds.com.cn
A 47.101.195.107
47.101.195.107
www.baidu.com
CNAME www.a.shifen.com
A 119.63.197.151
A 119.63.197.139
CNAME www.wshifen.com
119.63.197.151
x1.i.lencr.org
CNAME crl.root-x1.letsencrypt.org.edgekey.net
CNAME e8652.dscx.akamaiedge.net
A 23.52.33.11
23.52.33.11
IP Address Status Action
119.63.197.151 Active Moloch
164.124.101.2 Active Moloch
23.52.33.11 Active Moloch
47.101.195.107 Active Moloch

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.101:49161 -> 119.63.197.151:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.101:49163 -> 47.101.195.107:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.101:49161
119.63.197.151:443 		C=BE, O=GlobalSign nv-sa, CN=GlobalSign RSA OV SSL CA 2018 C=CN, ST=beijing, L=beijing, O=Beijing Baidu Netcom Science Technology Co., Ltd, CN=baidu.com ef:0f:be:13:02:e2:c4:d4:89:ba:8f:ba:88:ef:6f:95:dc:cf:7b:e0
TLSv1
192.168.56.101:49163
47.101.195.107:443 		C=US, O=Let's Encrypt, CN=E5 CN=api.znhds.com.cn 65:6b:c9:e1:e6:25:98:55:51:4b:2d:76:a3:87:ea:94:0b:71:20:10

Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
packer Armadillo v1.71
resource name TEXTINCLUDE
request GET http://x1.i.lencr.org/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72dd1000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x732d4000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72dd2000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72bb1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2548
region_size: 253952
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10000000
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72b81000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10000000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7643d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x76438000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x7585d000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75866000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75858000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75856000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75861000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75861000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75857000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75858000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75857000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75861000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75864000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x75864000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2548
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x10009000
process_handle: 0xffffffff
1 0 0
name TEXTINCLUDE language LANG_CHINESE filetype C source, ASCII text, with CRLF line terminators sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002deca8 size 0x00000151
name TEXTINCLUDE language LANG_CHINESE filetype C source, ASCII text, with CRLF line terminators sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002deca8 size 0x00000151
name TEXTINCLUDE language LANG_CHINESE filetype C source, ASCII text, with CRLF line terminators sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002deca8 size 0x00000151
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002df198 size 0x000000b4
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002df198 size 0x000000b4
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002df198 size 0x000000b4
name RT_CURSOR language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002df198 size 0x000000b4
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002e0a0c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002e0a0c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002e0a0c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002e0a0c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002e0a0c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002e0a0c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002e0a0c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002e0a0c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002e0a0c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002e0a0c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002e0a0c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002e0a0c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002e0a0c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002e0a0c size 0x00000144
name RT_BITMAP language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002e0a0c size 0x00000144
name RT_MENU language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f6ecc size 0x00000284
name RT_MENU language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f6ecc size 0x00000284
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8114 size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8114 size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8114 size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8114 size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8114 size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8114 size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8114 size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8114 size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8114 size 0x0000018c
name RT_DIALOG language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8114 size 0x0000018c
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8b5c size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8b5c size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8b5c size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8b5c size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8b5c size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8b5c size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8b5c size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8b5c size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8b5c size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8b5c size 0x00000024
name RT_STRING language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8b5c size 0x00000024
name RT_GROUP_CURSOR language LANG_CHINESE filetype Lotus unknown worksheet or configuration, revision 0x2 sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8ba8 size 0x00000022
name RT_GROUP_CURSOR language LANG_CHINESE filetype Lotus unknown worksheet or configuration, revision 0x2 sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8ba8 size 0x00000022
name RT_GROUP_CURSOR language LANG_CHINESE filetype Lotus unknown worksheet or configuration, revision 0x2 sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8ba8 size 0x00000022
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8c20 size 0x00000014
name RT_GROUP_ICON language LANG_CHINESE filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED offset 0x002f8c20 size 0x00000014
file C:\Users\test22\AppData\Local\Temp\7z.dll
file C:\Users\test22\AppData\Local\Temp\7z.dll
Time & API Arguments Status Return Repeated

Process32NextW

 snapshot_handle: 0x0000047c
process_name: pw.exe
process_identifier: 2320
1 1 0

Process32NextW

 snapshot_handle: 0x0000047c
process_name: sdclt.exe
process_identifier: 2380
1 1 0

Process32NextW

 snapshot_handle: 0x0000047c
process_name: Update.exe
process_identifier: 2548
1 1 0

Process32NextW

 snapshot_handle: 0x0000047c
process_name: schtasks.exe
process_identifier: 2628
1 1 0

Process32NextW

 snapshot_handle: 0x0000047c
process_name: conhost.exe
process_identifier: 2636
1 1 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
section {u'size_of_data': u'0x001d6000', u'virtual_address': u'0x000bf000', u'entropy': 7.4422018399346355, u'name': u'.rdata', u'virtual_size': u'0x001d5e82'} entropy 7.44220183993 description A section with a high entropy has been found
entropy 0.658263305322 description Overall entropy of this PE file is high
Time & API Arguments Status Return Repeated

RegSetValueExA

 key_handle: 0x000005a4
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
value: 0
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
1 0 0
Bkav W32.AIDetectMalware
Lionic Trojan.Win32.FlyStudio.4!c
Elastic Windows.Generic.Threat
Cynet Malicious (score: 100)
CAT-QuickHeal Risktool.Flystudio.16885
Skyhigh BehavesLike.Win32.Generic.vc
McAfee Artemis!74AB75D72B70
Cylance Unsafe
VIPRE Gen:Variant.Jaik.111029
Sangfor Suspicious.Win32.Save.ins
K7AntiVirus Trojan ( 005246d51 )
BitDefender Gen:Variant.Jaik.111029
K7GW Trojan ( 005246d51 )
Cybereason malicious.72b703
Arcabit Trojan.Jaik.D1B1B5
Symantec ML.Attribute.HighConfidence
tehtris Generic.Malware
ESET-NOD32 a variant of Win32/Packed.FlyStudio.AA potentially unwanted
APEX Malicious
Avast Win32:TrojanX-gen [Trj]
MicroWorld-eScan Gen:Variant.Jaik.111029
Emsisoft Gen:Variant.Jaik.111029 (B)
McAfeeD Real Protect-LS!74AB75D72B70
Trapmine malicious.high.ml.score
FireEye Generic.mg.74ab75d72b703267
Sophos Mal/Generic-S
Ikarus Trojan.Crypt
Google Detected
MAX malware (ai score=85)
Antiy-AVL RiskWare/Win32.FlyStudio.a
Kingsoft malware.kb.a.880
Gridinsoft Trojan.Win32.Packed.sa
Xcitium TrojWare.Win32.Agent.OSCF@5rs7jr
Microsoft Trojan:Win32/Wacatac.A!ml
GData Win32.Trojan.PSE.16KAD3H
Varist W32/Trojan.CLL.gen!Eldorado
AhnLab-V3 Trojan/Win.Generic.R651361
BitDefenderTheta Gen:NN.ZexaF.36806.Ys0@a0Owlcjj
DeepInstinct MALICIOUS
VBA32 BScope.Trojan.Downloader
Malwarebytes Generic.Malware.AI.DDS
TrendMicro-HouseCall TROJ_GEN.R002H0CEV24
SentinelOne Static AI - Malicious PE
MaxSecure Dropper.Dinwod.frindll
Fortinet W32/CoinMiner.PHP!tr
AVG Win32:TrojanX-gen [Trj]
Paloalto generic.ml
CrowdStrike win/malicious_confidence_90% (W)
alibabacloud Trojan:Win/Jaik.Gen