File name:

DZKJ-1.0.0.55.exe

Full analysis: https://app.any.run/tasks/ef66af80-5cbe-4050-be11-d939b0293a9e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 11, 2025, 09:18:15
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
loader
themida
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

B3B94932A44A4F813E8918CD8CD5C68E

SHA1:

ED9107FC92AD4BDECE3A8E0CC9654CC78439E66E

SHA256:

A53F65579B6FCF79CFC822340A5733148229BA8F1E865BCEBBB347AF1E21D9CA

SSDEEP:

98304:ZHn5c3TIlZFbCqpUDzt8Aie/yqzGCJJJLG9vOYWXIBmybI7Ut6PRj9QhyfUMM146:1b3Bg3S1v3b3R3zNNd5o1Qn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Registers / Runs the DLL via REGSVR32.EXE

      • DZKJ-1.0.0.55.exe (PID: 5568)

  • SUSPICIOUS

    • Reads the BIOS version

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • Executable content was dropped or overwritten

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • Potential Corporate Privacy Violation

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • Creates/Modifies COM task schedule object

      • regsvr32.exe (PID: 2216)

    • Reads Microsoft Outlook installation path

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • Reads security settings of Internet Explorer

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • There is functionality for taking screenshot (YARA)

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • Process requests binary or script from the Internet

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • Reads Internet Explorer settings

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • Checks Windows Trust Settings

      • DZKJ-1.0.0.55.exe (PID: 5568)

  • INFO

    • Process checks whether UAC notifications are on

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • Checks supported languages

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • The sample compiled with english language support

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • Reads the machine GUID from the registry

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • The sample compiled with chinese language support

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • Reads the computer name

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • Checks proxy server information

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • Themida protector has been detected

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • Creates files or folders in the user directory

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • Reads CPU info

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • Reads the software policy settings

      • DZKJ-1.0.0.55.exe (PID: 5568)

    • Create files in a temporary directory

      • DZKJ-1.0.0.55.exe (PID: 5568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:12:08 11:56:38+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 1486848
InitializedDataSize: 11169792
UninitializedDataSize: -
EntryPoint: 0x1135ebc
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.55
ProductVersionNumber: 1.0.0.55
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Unicode
FileVersion: 1.0.0.55
FileDescription: DZKJ Schematics & PCB Layout
ProductName: 东震科技电子图
ProductVersion: 1.0.0.55
CompanyName: DZKJ Schematics
LegalCopyright: DZKJ Schematics
Comments: DZKJ Schematics & PCB Layout
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start dzkj-1.0.0.55.exe regsvr32.exe no specs dzkj-1.0.0.55.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1540"C:\Users\admin\AppData\Local\Temp\DZKJ-1.0.0.55.exe" C:\Users\admin\AppData\Local\Temp\DZKJ-1.0.0.55.exeexplorer.exe
User:
admin
Company:
DZKJ Schematics
Integrity Level:
MEDIUM
Description:
DZKJ Schematics & PCB Layout
Exit code:
3221226540
Version:
1.0.0.55
Modules
Images
c:\users\admin\appdata\local\temp\dzkj-1.0.0.55.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2216regsvr32 C:\Users\admin\AppData\Local\Temp\DZPdf.dll /sC:\Windows\SysWOW64\regsvr32.exeDZKJ-1.0.0.55.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll
5568"C:\Users\admin\AppData\Local\Temp\DZKJ-1.0.0.55.exe" C:\Users\admin\AppData\Local\Temp\DZKJ-1.0.0.55.exe
explorer.exe
User:
admin
Company:
DZKJ Schematics
Integrity Level:
HIGH
Description:
DZKJ Schematics & PCB Layout
Version:
1.0.0.55
Modules
Images
c:\users\admin\appdata\local\temp\dzkj-1.0.0.55.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
Total events
1 758
Read events
1 750
Write events
8
Delete events
0

Modification events

(PID) Process:(5568) DZKJ-1.0.0.55.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5568) DZKJ-1.0.0.55.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5568) DZKJ-1.0.0.55.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2216) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4EE23AE3-BE35-4D73-A46D-20B37AE78EF6}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(2216) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4EE23AE3-BE35-4D73-A46D-20B37AE78EF6}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(2216) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{17800119-D1EF-452A-A97C-1DBEDE9FB9E0}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(2216) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{17800119-D1EF-452A-A97C-1DBEDE9FB9E0}\TypeLib
Operation:writeName:Version
Value:
1.0
(PID) Process:(2216) regsvr32.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6F22EEE9-8467-4806-81C1-FE62D6838E22}\InprocServer32
Operation:writeName:ThreadingModel
Value:
Apartment
Executable files
2
Suspicious files
19
Text files
20
Unknown types
0

Dropped files

PID
Process
Filename
Type
5568DZKJ-1.0.0.55.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\layui[1].csstext
MD5:8E7BB0928DBB67E3DE4559A17949923B
SHA256:6458791D1EA9378D871A09DCDB1F9382858F210B1DDB4123B6A57F7B14DFDD03
5568DZKJ-1.0.0.55.exeC:\Users\admin\AppData\Roaming\DZKJ\pz.initext
MD5:DCDF8E9B08B073AFE0D60B2A268178E0
SHA256:3629F2F4C23787864692C16308B6BE1F2CCC30EEAE613739D9FC757A6C80F26A
5568DZKJ-1.0.0.55.exeC:\Users\admin\Desktop\DZKJ Schematics.lnkbinary
MD5:78CBB7E006383A90F572AB0A865D21EC
SHA256:BDF667C9DBF33F122536DE35417AFDE13BB879E33C5374A4AC12D17F884F0D8F
5568DZKJ-1.0.0.55.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\layer[1].jsbinary
MD5:6E80F0CFF749C82653B9CDDE9EEAB937
SHA256:1CE6649D82D2DB0F8E4823F701DDFCFD9C7F107CB446C907E46EC7E57171A2A3
5568DZKJ-1.0.0.55.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\banner[1].htmhtml
MD5:C5792FF8E8F584BB178DAEE12F1AFFA2
SHA256:5502B590C0E9D6631B271D67A2D75BEBC67E6F036693D67B5B522D54FA7AA74A
5568DZKJ-1.0.0.55.exeC:\Users\admin\AppData\Roaming\DZKJ\DZClient.exeexecutable
MD5:B3B94932A44A4F813E8918CD8CD5C68E
SHA256:A53F65579B6FCF79CFC822340A5733148229BA8F1E865BCEBBB347AF1E21D9CA
5568DZKJ-1.0.0.55.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\main[1].htmhtml
MD5:E7FC33574E7B5C1BF5CE4E6A4C93E121
SHA256:9AA44A0DE760A56B2D9F14C12B3F13254302024EECDA0114C1120524CAB97DBA
5568DZKJ-1.0.0.55.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABbinary
MD5:4960FEBD4EE459E0EAC0448CBD805938
SHA256:02F036C9E5C42F9CCDD54E0CE370785C6A9063B35F9B77A55B44928A5A8867A1
5568DZKJ-1.0.0.55.exeC:\Users\admin\AppData\Local\Temp\DZPdf.dllexecutable
MD5:BDDA2E48284524DB3ADCB5E3B2CE4ACC
SHA256:94BC55CD925E7A385B3EA9C0F6E91D1392E36610C9EBB7F9557E188E54121E5F
5568DZKJ-1.0.0.55.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_3B09126487DFC7E15E2594895176DB45binary
MD5:DD9704D1D543F3ACC26B7254916402AE
SHA256:934FB79F6B5E82A179B3A8D4BFF91110A4B88955CDF683355566A33A044D8A9A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
48
TCP/UDP connections
47
DNS requests
24
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
GET
200
2.19.11.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5568
DZKJ-1.0.0.55.exe
POST
200
3.72.182.186:80
http://www.dzkj16888.com/tg/jh.php
unknown
unknown
5568
DZKJ-1.0.0.55.exe
GET
302
3.72.182.186:80
http://www.dzkj16888.com/main/ad/banner.php?code=1.0.0.55
unknown
unknown
5568
DZKJ-1.0.0.55.exe
GET
200
3.72.182.186:80
http://www.dzkj16888.com/main/gg/banner.php
unknown
unknown
5568
DZKJ-1.0.0.55.exe
GET
302
3.72.182.186:80
http://www.dzkj16888.com/main/ad/main.php?code=1.0.0.55&ver=55&file=b3b94932a44a4f813e8918cd8cd5c68e
unknown
unknown
1176
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5568
DZKJ-1.0.0.55.exe
GET
200
3.72.182.186:80
http://www.dzkj16888.com/main/main.php?ver=55&file=b3b94932a44a4f813e8918cd8cd5c68e
unknown
unknown
5568
DZKJ-1.0.0.55.exe
POST
200
3.72.182.186:80
http://down.dzkj16888.com/manage/51/?check=1&cmd=BAF504E89981D28D03EE454EA61277491DE7F3EA7D3D8A9F76D5609AF2A68E9A&ver=55
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
23.15.178.179:443
www.bing.com
Akamai International B.V.
DE
whitelisted
2.19.11.120:80
crl.microsoft.com
Elisa Oyj
NL
whitelisted
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
372
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5568
DZKJ-1.0.0.55.exe
3.72.182.186:80
www.dzkj16888.com
AMAZON-02
DE
suspicious
1176
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.46
whitelisted
www.bing.com
  • 23.15.178.179
  • 23.15.178.171
  • 23.15.178.163
  • 23.15.178.169
  • 23.15.178.186
  • 23.15.178.184
  • 23.15.178.168
  • 23.15.178.185
  • 23.15.178.170
whitelisted
crl.microsoft.com
  • 2.19.11.120
  • 2.19.11.105
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 184.30.131.245
whitelisted
www.microsoft.com
  • 2.23.246.101
  • 23.35.229.160
whitelisted
www.dzkj16888.com
  • 3.72.182.186
unknown
login.live.com
  • 40.126.32.74
  • 40.126.32.133
  • 40.126.32.138
  • 20.190.160.5
  • 20.190.160.67
  • 40.126.32.136
  • 20.190.160.4
  • 20.190.160.131
whitelisted
down.dzkj16888.com
  • 3.72.182.186
unknown
connect.facebook.net
  • 157.240.253.1
whitelisted

Threats

PID
Process
Class
Message
5568
DZKJ-1.0.0.55.exe
Potential Corporate Privacy Violation
ET INFO Unsupported/Fake Windows NT Version 5.0
5568
DZKJ-1.0.0.55.exe
Potential Corporate Privacy Violation
ET INFO Unsupported/Fake Windows NT Version 5.0
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
DZKJ-1.0.0.55.exe