Source: zixing.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: zixing.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: |
Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: zixing.exe |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DEA534 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, |
0_2_00DEA534 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DFB820 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, |
0_2_00DFB820 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00E0A928 FindFirstFileExA, |
0_2_00E0A928 |
Source: unknown |
DNS traffic detected: query: 206.23.85.13.in-addr.arpa replaycode: Name error (3) |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: global traffic |
DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa |
Source: zwei.exe.0.dr |
String found in binary or memory: http://192.168.0.188:9011/mon?monNo= |
Source: zwei.exe.0.dr |
String found in binary or memory: http://j32303f290.zicp.vip:9011/imageszt/ |
Source: zwei.exe.0.dr |
String found in binary or memory: http://www.Jewsys.com |
Source: zwei.exe.0.dr |
String found in binary or memory: http://www.zwei.com__vbaFailedFriend |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DE7165: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, |
0_2_00DE7165 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DF65B6 |
0_2_00DF65B6 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DE8525 |
0_2_00DE8525 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DE404E |
0_2_00DE404E |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DF702F |
0_2_00DF702F |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DEE1E0 |
0_2_00DEE1E0 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00E00146 |
0_2_00E00146 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DE326D |
0_2_00DE326D |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00E0457A |
0_2_00E0457A |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00E0055E |
0_2_00E0055E |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DE27D4 |
0_2_00DE27D4 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DEE7E0 |
0_2_00DEE7E0 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00E047A9 |
0_2_00E047A9 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DF3731 |
0_2_00DF3731 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DEF8A8 |
0_2_00DEF8A8 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DF69EB |
0_2_00DF69EB |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DF39AC |
0_2_00DF39AC |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00E00993 |
0_2_00E00993 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00E0CA20 |
0_2_00E0CA20 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DF5BE7 |
0_2_00DF5BE7 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DF3CDD |
0_2_00DF3CDD |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DEEC54 |
0_2_00DEEC54 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DFFC4A |
0_2_00DFFC4A |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00E00DC8 |
0_2_00E00DC8 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DEDDAC |
0_2_00DEDDAC |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DEBD53 |
0_2_00DEBD53 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00E0CECE |
0_2_00E0CECE |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00E10FD4 |
0_2_00E10FD4 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DE5F0C |
0_2_00DE5F0C |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: String function: 00DFE1C0 appears 52 times |
|
Source: C:\Users\user\Desktop\zixing.exe |
Code function: String function: 00DFE0E4 appears 35 times |
|
Source: C:\Users\user\Desktop\zixing.exe |
Code function: String function: 00DFEB60 appears 31 times |
|
Source: zixing.exe, 00000000.00000003.1235618538.00000000077D4000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenamezwei.exe vs zixing.exe |
Source: zixing.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: zwei.exe.0.dr |
Binary or memory string: *\AD:\AAcode\sjgc-zx\code\zwei.vbp |
Source: classification engine |
Classification label: clean8.winEXE@1/6@1/0 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DE6E5E GetLastError,FormatMessageW, |
0_2_00DE6E5E |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DF9D9A FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, |
0_2_00DF9D9A |
Source: C:\Users\user\Desktop\zixing.exe |
File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6141312 |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Command line argument: q |
0_2_00DFD42A |
Source: C:\Users\user\Desktop\zixing.exe |
Command line argument: sfxname |
0_2_00DFD42A |
Source: C:\Users\user\Desktop\zixing.exe |
Command line argument: sfxstime |
0_2_00DFD42A |
Source: C:\Users\user\Desktop\zixing.exe |
Command line argument: STARTDLG |
0_2_00DFD42A |
Source: C:\Users\user\Desktop\zixing.exe |
Command line argument: pZ |
0_2_00DFD42A |
Source: zixing.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\zixing.exe |
File read: C:\Windows\win.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
File read: C:\Users\user\Desktop\zixing.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: <pi-ms-win-core-synch-l1-2-0.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: <pi-ms-win-core-synch-l1-2-0.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: <pi-ms-win-core-localization-l1-2-1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: dxgidebug.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: sfc_os.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: riched20.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: usp10.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: msls31.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\zixing.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 |
Jump to behavior |
Source: zixing.exe |
Static file information: File size 3412029 > 1048576 |
Source: zixing.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: zixing.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: zixing.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: zixing.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: zixing.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: zixing.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: zixing.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Source: zixing.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: zixing.exe |
Source: zixing.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: zixing.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: zixing.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: zixing.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: zixing.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\zixing.exe |
File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_6141312 |
Jump to behavior |
Source: zixing.exe |
Static PE information: section name: .didat |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DFE0E4 push eax; ret |
0_2_00DFE102 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DFEBA6 push ecx; ret |
0_2_00DFEBB9 |
Source: C:\Users\user\Desktop\zixing.exe |
File created: C:\Users\user\Desktop\update\zwei.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\zixing.exe |
Dropped PE file which has not been started: C:\Users\user\Desktop\update\zwei.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DEA534 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, |
0_2_00DEA534 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DFB820 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, |
0_2_00DFB820 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00E0A928 FindFirstFileExA, |
0_2_00E0A928 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DFDBC8 VirtualQuery,GetSystemInfo, |
0_2_00DFDBC8 |
Source: C:\Users\user\Desktop\zixing.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00E084EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00E084EF |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00E07363 mov eax, dword ptr fs:[00000030h] |
0_2_00E07363 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00E0B610 GetProcessHeap, |
0_2_00E0B610 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DFF07B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00DFF07B |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00E084EF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00E084EF |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DFED65 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00DFED65 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DFEEB3 SetUnhandledExceptionFilter, |
0_2_00DFEEB3 |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DFEBBB cpuid |
0_2_00DFEBBB |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: GetLocaleInfoW,GetNumberFormatW, |
0_2_00DFA5BC |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DFD42A GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, |
0_2_00DFD42A |
Source: C:\Users\user\Desktop\zixing.exe |
Code function: 0_2_00DEAC35 GetVersionExW, |
0_2_00DEAC35 |