Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Dec. 30, 2024, 1:51 p.m.	Dec. 30, 2024, 1:53 p.m.

Size	3.0MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`73b80a68c704e6e1f91595db16205501`
SHA256	`bac17a64fdf5cb62e16e053919f01b724dc3abbf1bc0e33e20a8f0cbdc7e0fc0`
CRC32	`D32479F9`
ssdeep	`49152:GEjSL635tBXj4PmzQMR9Ica/c6WwQ2Qkq0wjbJZWJvqU4SfV2AM4pqnigA:zS235t94T0I9/caHTwoz4Eg4pH`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature ASPack_Zero - ASPack packed file DllRegisterServer_Zero - execute regsvr32.exe Win32_Trojan_Emotet_1_Zero - Win32 Trojan Emotet IsPE32 - (no description) Generic_Malware_Zero - Generic Malware UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check

33.exe "C:\Users\test22\AppData\Local\Temp\33.exe"
652

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

The executable uses a known packer (1 event)

packer

Armadillo v1.71

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

WAVE

Allocates read-write-execute memory (usually to unpack itself) (50 out of 66 events)

Time & API	Arguments	Status	Return
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10001000 process_handle: 0xffffffff		3221225713
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 86016 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10028000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7576d000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75768000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755fd000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75606000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755f8000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755f6000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75601000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75601000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755f7000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755f8000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x755f7000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75601000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75604000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75604000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75609000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75603000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Dec. 30, 2024, 1:51 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x10009000 process_handle: 0xffffffff	1	0

Foreign language identified in PE resource (35 events)

name

WAVE

language

LANG_CHINESE

filetype

RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 22050 Hz

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0035d964

size

0x00001448

name

RT_CURSOR

language

LANG_CHINESE

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0035f330

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0035f330

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0035f330

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0035f330

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0035f330

size

0x00000134

name

RT_CURSOR

language

LANG_CHINESE

filetype

AmigaOS bitmap font

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0035f330

size

0x00000134

name

RT_BITMAP

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0035f464

size

0x0000016c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0036100c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0036100c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0036100c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0036100c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0036100c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0036100c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0036100c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0036100c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0036100c

size

0x0000018c

name

RT_DIALOG

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x0036100c

size

0x0000018c

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00361a54

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00361a54

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00361a54

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00361a54

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00361a54

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00361a54

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00361a54

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00361a54

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00361a54

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00361a54

size

0x00000024

name

RT_STRING

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00361a54

size

0x00000024

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00361ac8

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00361ac8

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00361ac8

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00361ac8

size

0x00000022

name

RT_GROUP_CURSOR

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00361ac8

size

0x00000022

name

RT_VERSION

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00361b1c

size

0x00000240

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\HPSocket4C.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\HPSocket4C.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x001e7000', u'virtual_address': u'0x000f2000', u'entropy': 7.652715836639323, u'name': u'.rdata', u'virtual_size': u'0x001e6c0e'}

entropy

7.65271583664

description

A section with a high entropy has been found

entropy

0.630012936611

description

Overall entropy of this PE file is high

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Generic.lIa2
tehtris	Generic.Malware
Cynet	Malicious (score: 100)
CAT-QuickHeal	Trojan.Ghanarava.1706902242205501
Skyhigh	BehavesLike.Win32.Generic.wc
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (W)
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.FlyStudio.AA potentially unwanted
APEX	Malicious
Avast	FileRepMalware [Misc]
ClamAV	Win.Malware.Generic-10032482-0
McAfeeD	Real Protect-LS!73B80A68C704
Trapmine	suspicious.low.ml.score
CTX	exe.trojan.generic
Sophos	Generic Reputation PUA (PUA)
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.73b80a68c704e6e1
Jiangmin	Trojan.Chistudi.p
Google	Detected
Antiy-AVL	RiskWare/Win32.FlyStudio.a
Gridinsoft	Trojan.Win32.Gen.bot!i
Microsoft	Program:Win32/Wacapew.C!ml
GData	Win32.Trojan.PSE.18B7I2K
Varist	W32/Trojan.IRG.gen!Eldorado
McAfee	Artemis!73B80A68C704
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware.AI.DDS
Ikarus	Trojan.Win32.Agent
MaxSecure	Dropper.Dinwod.frindll
Fortinet	W32/CoinMiner.PHP!tr
AVG	FileRepMalware [Misc]
Paloalto	generic.ml

33.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All