Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ZKNiiqoHKV.exe

Overview

General Information

Sample name:ZKNiiqoHKV.exe
renamed because original name is a hash value
Original sample name:6bacbe921c817ef6fc3d2fa1b8cd100452d5f002bd76ce536632abc633f571ae.exe
Analysis ID:1538056
MD5:1169e07116b990459d7c3d52bc4f58fe
SHA1:f4d6680399237143f914902bf7c8be0475589625
SHA256:6bacbe921c817ef6fc3d2fa1b8cd100452d5f002bd76ce536632abc633f571ae
Tags:exeuser-0xv
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Machine Learning detection for sample
PE file contains section with special chars
Entry point lies outside standard sections
PE file contains more sections than normal
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

Process Tree

  • System is w10x64
  • ZKNiiqoHKV.exe (PID: 6932 cmdline: "C:\Users\user\Desktop\ZKNiiqoHKV.exe" MD5: 1169E07116B990459D7C3D52BC4F58FE)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: ZKNiiqoHKV.exeReversingLabs: Detection: 34%
Source: ZKNiiqoHKV.exeVirustotal: Detection: 51%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.6% probability
Machine Learning detection for sample
Source: ZKNiiqoHKV.exeJoe Sandbox ML: detected

System Summary

barindex
PE file contains section with special chars
Source: ZKNiiqoHKV.exeStatic PE information: section name:
Source: ZKNiiqoHKV.exeStatic PE information: section name:
Source: ZKNiiqoHKV.exeStatic PE information: section name:
Source: ZKNiiqoHKV.exeStatic PE information: section name:
Source: ZKNiiqoHKV.exeStatic PE information: section name:
Source: ZKNiiqoHKV.exeStatic PE information: section name:
Source: ZKNiiqoHKV.exeStatic PE information: section name:
Source: ZKNiiqoHKV.exeStatic PE information: Number of sections : 13 > 10
Source: ZKNiiqoHKV.exe, 00000000.00000002.2911223832.0000000141E04000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameGunzLegacy.exe8 vs ZKNiiqoHKV.exe
Source: ZKNiiqoHKV.exeBinary or memory string: OriginalFilenameGunzLegacy.exe8 vs ZKNiiqoHKV.exe
Source: ZKNiiqoHKV.exeStatic PE information: Section: ZLIB complexity 0.993994433008982
Source: ZKNiiqoHKV.exeStatic PE information: Section: ZLIB complexity 0.9973697916666666
Source: ZKNiiqoHKV.exeStatic PE information: Section: .reloc ZLIB complexity 1.5
Source: classification engineClassification label: mal60.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: ZKNiiqoHKV.exeReversingLabs: Detection: 34%
Source: ZKNiiqoHKV.exeVirustotal: Detection: 51%
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exeSection loaded: d3dx9_43.dllJump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exeSection loaded: fmod64.dllJump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\Desktop\ZKNiiqoHKV.exeSection loaded: wldp.dllJump to behavior
Source: ZKNiiqoHKV.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: ZKNiiqoHKV.exeStatic file information: File size 6152208 > 1048576
Source: ZKNiiqoHKV.exeStatic PE information: Raw size of is bigger than: 0x100000 < 0x1fe000
Source: ZKNiiqoHKV.exeStatic PE information: Raw size of .boot is bigger than: 0x100000 < 0x2ff400
Source: initial sampleStatic PE information: section where entry point is pointing to: .boot
Source: ZKNiiqoHKV.exeStatic PE information: section name:
Source: ZKNiiqoHKV.exeStatic PE information: section name:
Source: ZKNiiqoHKV.exeStatic PE information: section name:
Source: ZKNiiqoHKV.exeStatic PE information: section name:
Source: ZKNiiqoHKV.exeStatic PE information: section name:
Source: ZKNiiqoHKV.exeStatic PE information: section name:
Source: ZKNiiqoHKV.exeStatic PE information: section name:
Source: ZKNiiqoHKV.exeStatic PE information: section name: .themida
Source: ZKNiiqoHKV.exeStatic PE information: section name: .boot
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Software Packing		OS Credential Dumping1
System Information Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ZKNiiqoHKV.exe34%ReversingLabsWin64.Trojan.Generic
ZKNiiqoHKV.exe51%VirustotalBrowse
ZKNiiqoHKV.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1538056
Start date and time:2024-10-20 07:09:06 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 1s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:ZKNiiqoHKV.exe
renamed because original name is a hash value
Original Sample Name:6bacbe921c817ef6fc3d2fa1b8cd100452d5f002bd76ce536632abc633f571ae.exe
Detection:MAL
Classification:mal60.winEXE@1/0@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
  • Execution Graph export aborted for target ZKNiiqoHKV.exe, PID 6932 because there are no executed function
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):7.838331867842023
TrID:
  • Win64 Executable GUI (202006/5) 92.65%
  • Win64 Executable (generic) (12005/4) 5.51%
  • Generic Win/DOS Executable (2004/3) 0.92%
  • DOS Executable Generic (2002/1) 0.92%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:ZKNiiqoHKV.exe
File size:6'152'208 bytes
MD5:1169e07116b990459d7c3d52bc4f58fe
SHA1:f4d6680399237143f914902bf7c8be0475589625
SHA256:6bacbe921c817ef6fc3d2fa1b8cd100452d5f002bd76ce536632abc633f571ae
SHA512:e0d01375f1406f000984310da01c4a47392bfe047e1765c884539a6de5cecac57e2dc4689a543640351b3c87d7b5b1f66814601e734bc391566b38521690c2dd
SSDEEP:98304:PFfja85LghXwp+TXGRgUjK7WzvqutBUwSoKVFuYgNXrxJmEYM7WFW4i6iQ3h4zWF:wi8XHXYgUjiWzvqkxSoWBwiU4LiI4aF
TLSH:C2561227F684ADD6D1E336B6CF0524414713BF221A861659A03F36C9FA3558F87A23CB
File Content Preview:MZ......................@...................................`...........!..L.!This program cannot be run in DOS mode....$.......O.J...$Y..$Y..$Y@.'X..$Y.._Y..$Y...Y..$Y@. X:.$Y@.!X..$Y@."X..$Y.. X..$Y..'X..$Y..!X..$Y1g X..$Y1g'X..$Y]._Y..$Y...Y..$Y,!_Y..$

File Icon

Icon Hash:e7633d1e4b6d3015

Static PE Info

General

Entrypoint:0x14231b058
Entrypoint Section:.boot
Digitally signed:false
Imagebase:0x140000000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:HIGH_ENTROPY_VA, TERMINAL_SERVER_AWARE
Time Stamp:0x662FBE31 [Mon Apr 29 15:35:13 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:6
OS Version Minor:0
File Version Major:6
File Version Minor:0
Subsystem Version Major:6
Subsystem Version Minor:0
Import Hash:7e6f624a623fc1ceed378db513c1db46

Entrypoint Preview

Instruction
call 00007F71591D1FB7h
inc ecx
push edx
dec ecx
mov edx, esp
inc ecx
push edx
dec ecx
mov esi, dword ptr [edx+10h]
dec ecx
mov edi, dword ptr [edx+20h]
cld
mov dl, 80h
mov al, byte ptr [esi]
dec eax
inc esi
mov byte ptr [edi], al
dec eax
inc edi
mov ebx, 00000002h
add dl, dl
jne 00007F71591D1E39h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F71591D1E16h
add dl, dl
jne 00007F71591D1E39h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F71591D1E90h
xor eax, eax
add dl, dl
jne 00007F71591D1E39h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jnc 00007F71591D1F38h
add dl, dl
jne 00007F71591D1E39h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F71591D1E39h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F71591D1E39h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F71591D1E39h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
je 00007F71591D1E3Bh
push edi
mov eax, eax
dec eax
sub edi, eax
mov al, byte ptr [edi]
pop edi
mov byte ptr [edi], al
dec eax
inc edi
mov ebx, 00000002h
jmp 00007F71591D1DBAh
mov eax, 00000001h
add dl, dl
jne 00007F71591D1E39h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
adc eax, eax
add dl, dl
jne 00007F71591D1E39h
mov dl, byte ptr [esi]
dec eax
inc esi
adc dl, dl
jc 00007F71591D1E18h
sub eax, ebx
mov ebx, 00000001h
jne 00007F71591D1E60h
mov ecx, 00000001h

Rich Headers

Programming Language:
  • [IMP] VS2005 build 50727

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x1da92510x310.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x1dab0000x5b688.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x22b688c0x2d36c.themida
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x261b0000x10.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x1daa0180x28.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x00x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
0x10000x43a5fc0x1fe000c79b1956b7e29e74321fb8164b9d2715unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0x43c0000xfc0180x53800049e5b46815e952035e4cc1d04523ad8False0.993994433008982data7.948410341761069IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0x5390000x17d14240x6e004e860e0acb7264a2a0ff64a0665249feunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0x1d0b0000x2d3000x1a800b33213f26ade5c573e083f069efca599False0.9510889593160378data7.6973046929840505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0x1d390000x15c0x200f62c839df22bae3afd8e8f3051131e38False0.421875data3.4689129896223285IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0x1d3a0000x5b6880x960095881821aabd8cb83a5deacb01fa14c5False0.9973697916666666data7.949298340088709IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0x1d960000x125a40x600067eea4667fda8fedcb7540a406c81df0False0.5920003255208334data7.656381181007976IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata0x1da90000x10000x6004a4b786f4168b012ed0d7ccba2cc2258False0.3860677083333333data3.738362225674898IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls0x1daa0000x10000x20046a3fa9b9c474bebe443ead3ca8d98abFalse0.0625data0.28456851570206254IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x1dab0000x5b8000x5b8002a0888d24145ea2eabeab39a5e2b301bFalse0.10006030140027322data2.079425753252139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.themida0x1e070000x5140000x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.boot0x231b0000x2ff4000x2ff400f7cc1add78644617f396f9aa8a131806unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc0x261b0000x10000x10a51e02a72ae53a9f5a7067a2fe4ecbe8False1.5GLS_BINARY_LSB_FIRST2.5306390622295662IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
RT_ICON0x1dab1c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0KoreanNorth Korea0.2978723404255319
RT_ICON0x1dab1c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0KoreanSouth Korea0.2978723404255319
RT_ICON0x1dab6380x988Device independent bitmap graphic, 24 x 48 x 32, image size 0KoreanNorth Korea0.24262295081967214
RT_ICON0x1dab6380x988Device independent bitmap graphic, 24 x 48 x 32, image size 0KoreanSouth Korea0.24262295081967214
RT_ICON0x1dabfd00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0KoreanNorth Korea0.20919324577861162
RT_ICON0x1dabfd00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0KoreanSouth Korea0.20919324577861162
RT_ICON0x1dad0880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0KoreanNorth Korea0.16224066390041494
RT_ICON0x1dad0880x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0KoreanSouth Korea0.16224066390041494
RT_ICON0x1daf6400x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0KoreanNorth Korea0.14218233349078885
RT_ICON0x1daf6400x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0KoreanSouth Korea0.14218233349078885
RT_ICON0x1db38780x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0KoreanNorth Korea0.10500709807169052
RT_ICON0x1db38780x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0KoreanSouth Korea0.10500709807169052
RT_ICON0x1dc40b00x42028Device independent bitmap graphic, 256 x 512 x 32, image size 0KoreanNorth Korea0.08794049767730863
RT_ICON0x1dc40b00x42028Device independent bitmap graphic, 256 x 512 x 32, image size 0KoreanSouth Korea0.08794049767730863
RT_GROUP_ICON0x1e060e80x68dataKoreanNorth Korea0.7403846153846154
RT_GROUP_ICON0x1e060e80x68dataKoreanSouth Korea0.7403846153846154
RT_VERSION0x1e061600x2ecdataEnglishUnited States0.4451871657754011
RT_MANIFEST0x1e0645c0x227XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (491), with CRLF line terminatorsEnglishUnited States0.5353901996370236

Imports

DLLImport
kernel32.dllGetModuleHandleA
WININET.dllHttpQueryInfoA
d3d9.dllDirect3DCreate9
d3dx9_43.dllD3DXVec3Normalize
fmod64.dllFSOUND_Update
USER32.dllSetWindowPlacement
GDI32.dllGetPixel
MSIMG32.dllTransparentBlt
WINSPOOL.DRVDocumentPropertiesA
ADVAPI32.dllRegSetValueExW
SHELL32.dllSHGetSpecialFolderPathA
SHLWAPI.dllStrStrIA
UxTheme.dllDrawThemeText
ole32.dllCoTaskMemAlloc
OLEAUT32.dllVariantCopy
WS2_32.dllWSAEventSelect
gdiplus.dllGdipCreatePen1
OLEACC.dllLresultFromObject
IMM32.dllImmGetContext
WINMM.dllPlaySoundA
dbghelp.dllMiniDumpWriteDump

Possible Origin

Language of compilation systemCountry where language is spokenMap
KoreanNorth Korea
KoreanSouth Korea
EnglishUnited States

Network Behavior

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Oct 20, 2024 07:10:24.414190054 CEST53518041.1.1.1192.168.2.4

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Target ID:0
Start time:01:09:55
Start date:20/10/2024
Path:C:\Users\user\Desktop\ZKNiiqoHKV.exe
Wow64 process (32bit):false
Commandline:"C:\Users\user\Desktop\ZKNiiqoHKV.exe"
Imagebase:0x140000000
File size:6'152'208 bytes
MD5 hash:1169E07116B990459D7C3D52BC4F58FE
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

Disassembly

No disassembly