My colleague send me some exe files, he wants to check if they are really the malicious. Because in the vt, most of the anti-av say they are the malicious. Just take one as the example. You can find static and the dynamic scan details here: https://malwr.com/analysis/MzlkNGUxOWNkZmMwNGU4NjkzMTdmYWU5MzAwNWVhYzU/ From the antiav section: we found many alerts: But from the dynamic result, I found the there was no abnormal actions in the execution flow. So it’s the false positive? But many av alerts. …… At last, I found the reason working with nEINEI. The section of this PE file has been changed. The Attribute of this section has been update to rwe. And also found someone inject some datas into this section. …..