Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Sept. 17, 2024, 1:34 p.m.	Sept. 17, 2024, 1:50 p.m.

Size	5.3MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`1afd58e3f054a7792007060ed612a7a9`
SHA256	`f0cddb254626a7ad3850d27c4e6e2e526e2959b5fc1e785de615daf2d49af7e2`
CRC32	`3B897EB7`
ssdeep	`98304:tdX+qo+or2V/wybMgK6ZjL25HinyNxskjcfh38ZEwjSUErYuMVQsoXiL2nl:nlo+or2VrogK6ZjL25HinyNxskjcfh3Z`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Malicious_Packer_Zero - Malicious Packer ASPack_Zero - ASPack packed file DllRegisterServer_Zero - execute regsvr32.exe Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

bIBnZA9851zj.exe "C:\Users\test22\AppData\Local\Temp\bIBnZA9851zj.exe"
2632

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 17, 2024, 1:34 p.m.		1	1	0

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	TEXTINCLUDE
resource name	WAVE

Allocates read-write-execute memory (usually to unpack itself) (50 out of 72 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x733d2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10000000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 region_size: 1576960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03050000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 region_size: 1052672 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02e50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02621000 process_handle: 0xffffffff		3221225713
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 86016 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02648000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7643d000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76438000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7585d000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75866000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75858000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75856000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75861000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75861000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75857000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75858000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75857000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75861000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75864000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75864000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Sept. 17, 2024, 1:34 p.m.	process_identifier: 2632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02629000 process_handle: 0xffffffff	1	0

Foreign language identified in PE resource (50 out of 55 events)

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005c5fac

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005c5fac

size

0x00000151

name

TEXTINCLUDE

language

LANG_CHINESE

filetype

C source, ASCII text, with CRLF line terminators

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005c5fac

size

0x00000151

name

WAVE

language

LANG_CHINESE

filetype

RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 22050 Hz

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005c6100

size

0x00001448

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ca760

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ca760

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ca760

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ca760

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ca760

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ca760

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ca760

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ca760

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ca760

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ca760

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ca760

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ca760

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ca760

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ca760

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ca760

size

0x00000144

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ca760

size

0x00000144

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cb904

size

0x00000284

name

RT_MENU

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cb904

size

0x00000284

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ccb4c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ccb4c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ccb4c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ccb4c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ccb4c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ccb4c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ccb4c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ccb4c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ccb4c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005ccb4c

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd594

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd594

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd594

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd594

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd594

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd594

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd594

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd594

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd594

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd594

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd594

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd644

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd644

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd644

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd644

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd644

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd644

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

Lotus unknown worksheet or configuration, revision 0x2

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x005cd644

size

0x00000022

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\213f296.tmp
file	C:\Users\test22\AppData\Local\Temp\213f267.tmp

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetectMalware
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
Skyhigh	BehavesLike.Win32.Generic.th
ALYac	Gen:Variant.Zusy.552523
Cylance	Unsafe
VIPRE	Gen:Variant.Zusy.552523
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_70% (D)
BitDefender	Gen:Variant.Zusy.552523
K7GW	Trojan ( 005246d51 )
K7AntiVirus	Trojan ( 005246d51 )
Arcabit	Trojan.Zusy.D86E4B
Symantec	ML.Attribute.HighConfidence
Elastic	Windows.Generic.Threat
ESET-NOD32	a variant of Win32/Packed.FlyStudio.AA potentially unwanted
APEX	Malicious
Avast	Win32:MalwareX-gen [Trj]
ClamAV	Win.Malware.Trojanx-9951053-0
Kaspersky	VHO:Trojan.Win32.Blamon.gen
MicroWorld-eScan	Gen:Variant.Zusy.552523
Emsisoft	Gen:Variant.Zusy.552523 (B)
McAfeeD	Real Protect-LS!1AFD58E3F054
CTX	exe.unknown.zusy
Sophos	Generic ML PUA (PUA)
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.1afd58e3f054a779
Jiangmin	HackTool.FlyStudio.beg
Google	Detected
Antiy-AVL	Trojan[Packed]/Win32.FlyStudio
Kingsoft	malware.kb.a.971
Xcitium	TrojWare.Win32.Agent.OSCF@5rs7jr
Microsoft	Program:Win32/Wacapew.C!ml
ZoneAlarm	VHO:Trojan.Win32.Blamon.gen
GData	Win32.Trojan.PSE.11U3QNE
Varist	W32/Trojan.IRG.gen!Eldorado
AhnLab-V3	Trojan/Win.TrojanX-gen.R601455
McAfee	GenericRXSH-CA!1AFD58E3F054
DeepInstinct	MALICIOUS
VBA32	BScope.Trojan.Occamy
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan.Win32.Generic
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	W32/CoinMiner.PHP!tr
AVG	Win32:MalwareX-gen [Trj]

bIBnZA9851zj.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All