10.6
0-day
26 个模型检测该样本为恶意!
重新分析
更多

87ed2d1e930c4c31ee4cec3ac038047309dc4cbed4fd3c3198bbf11a08680ed7

0128718b86b4780e0b9629fb4eb5bf68.exe

分析耗时

109s

最近分析

文件大小

4.1MB
静态报毒 动态报毒 ARTEMIS ATTRIBUTE DECEPTPCCLEAN FUFMLT GENERIC PUA CA HACKTOOL HELPER HIGHCONFIDENCE HOAX MALWARE@#1RB54A1FO2R5O MODERATE CONFIDENCE PCVARK PUASSON QVM42 R255045 SUSGEN UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!0128718B86B4 20191212 6.0.6.653
Alibaba 20190527 0.3.0.5
CrowdStrike 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20191210 18.4.3895.0
Tencent 20191212 1.0.0.1
Kingsoft 20191212 2013.8.14.323
静态指标
Queries for the computername (18 个事件)
Time & API Arguments Status Return Repeated
1620147513.078375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620147515.610375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620147515.953375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620147093.331646
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620147093.394646
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620147508.078125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620147126.191396
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620147126.191396
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620147126.409396
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620147141.269396
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620147142.363396
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620147142.472396
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620147144.409396
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620147144.988396
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620147145.628396
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620147146.300396
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620147146.675396
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620147148.331396
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1620119622.564924
IsDebuggerPresent
failed 0 0
1620147092.800396
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1620147508.313125
WriteConsoleW
buffer: 错误: 没有找到进程 "SDG.exe"。
console_handle: 0x0000000b
success 1 0
Uses Windows APIs to generate a cryptographic key (2 个事件)
Time & API Arguments Status Return Repeated
1620147113.113396
CryptExportKey
crypto_handle: 0x000000000051d710
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620147116.722396
CryptExportKey
crypto_handle: 0x000000000051a7e0
crypto_export_handle: 0x0000000000000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
This executable is signed
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620147507.328375
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .itext
行为判定
动态指标
Performs some HTTP requests (1 个事件)
request GET http://www.premiumtechiesupport.com/apc/afterinstall/?utm_source=site&utm_campaign=site&utm_medium=site&utm_pubid=&pxl=&x-context=&x-at=&x-uid=-5439840487110307067&x-dm=aHR0cDovL3d3dy5wcmVtaXVtdGVjaGllc3VwcG9ydC5jb20v&x-ccode=in
Allocates read-write-execute memory (usually to unpack itself) (50 out of 234 个事件)
Time & API Arguments Status Return Repeated
1620119621.893924
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1620119621.893924
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 69632
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1620119621.893924
NtProtectVirtualMemory
process_identifier: 2244
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 131072
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0041b000
success 0 0
1620147506.406375
NtAllocateVirtualMemory
process_identifier: 2368
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00580000
success 0 0
1620147149.706646
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004070000
success 0 0
1620147087.800396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x0000000000790000
success 0 0
1620147087.800396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000000820000
success 0 0
1620147091.956396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef1661000
success 0 0
1620147092.597396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18de000
success 0 0
1620147092.597396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18de000
success 0 0
1620147092.831396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18df000
success 0 0
1620147092.831396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18df000
success 0 0
1620147092.847396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18df000
success 0 0
1620147092.847396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18df000
success 0 0
1620147092.847396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18df000
success 0 0
1620147092.847396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18df000
success 0 0
1620147092.847396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18df000
success 0 0
1620147092.847396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18df000
success 0 0
1620147092.847396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18e0000
success 0 0
1620147092.847396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18e0000
success 0 0
1620147092.847396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18e0000
success 0 0
1620147092.847396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18e0000
success 0 0
1620147092.847396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18e0000
success 0 0
1620147092.847396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18e1000
success 0 0
1620147092.847396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18e1000
success 0 0
1620147092.847396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18e1000
success 0 0
1620147092.847396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18e1000
success 0 0
1620147092.863396
NtProtectVirtualMemory
process_identifier: 3156
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
base_address: 0x000007fef18de000
success 0 0
1620147094.378396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00032000
success 0 0
1620147094.706396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007fffff10000
success 0 0
1620147094.706396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff10000
success 0 0
1620147094.706396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff10000
success 0 0
1620147094.722396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x000007fffff00000
success 0 0
1620147094.722396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007fffff00000
success 0 0
1620147094.722396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000ea000
success 0 0
1620147094.769396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00022000
success 0 0
1620147095.175396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00033000
success 0 0
1620147095.284396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000fa000
success 0 0
1620147095.284396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00122000
success 0 0
1620147095.284396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff000fd000
success 0 0
1620147095.550396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff0003c000
success 0 0
1620147096.425396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00180000
success 0 0
1620147097.300396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00034000
success 0 0
1620147098.816396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00035000
success 0 0
1620147100.316396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00037000
success 0 0
1620147100.331396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00038000
success 0 0
1620147100.503396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff00039000
success 0 0
1620147100.534396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff001e0000
success 0 0
1620147100.566396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff001e1000
success 0 0
1620147100.566396
NtAllocateVirtualMemory
process_identifier: 3156
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x000007ff001e2000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 个事件)
Time & API Arguments Status Return Repeated
1620147094.519646
GetDiskFreeSpaceExW
root_path: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Explorer
free_bytes_available: 19426136064
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
Creates executable files on the filesystem (3 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-MJ1TC.tmp\_isetup\_iscrypt.dll
file C:\Users\Public\Desktop\System Diagnostics.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Diagnostics\System Diagnostics.lnk
Creates a shortcut to an executable file (4 个事件)
file C:\Program Files\System Diagnostics\Buy System Diagnostics.lnk
file C:\Users\Public\Desktop\System Diagnostics.lnk
file C:\Users\Public\Desktop\Google Chrome.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Diagnostics\System Diagnostics.lnk
Drops an executable to the user AppData folder (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-IJBPT.tmp\0128718b86b4780e0b9629fb4eb5bf68.tmp
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-MJ1TC.tmp\_isetup\_iscrypt.dll
Executes one or more WMI queries (4 个事件)
wmi SELECT Capacity FROM Win32_PhysicalMemory
wmi select * from Win32_OperatingSystem
wmi SELECT * FROM Win32_BaseBoard
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SDG.exe")
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1620147507.547375
ShellExecuteExW
parameters: /f /im "SDG.exe"
filepath: taskkill.exe
filepath_r: taskkill.exe
show_type: 0
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620147133.847396
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1620147508.063125
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Queries for potentially installed applications (6 个事件)
Time & API Arguments Status Return Repeated
1620147510.797375
RegOpenKeyExW
access: 0x00000101
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\B44589A8-017F-47D5-88D0-B12504F6767D_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\B44589A8-017F-47D5-88D0-B12504F6767D_is1
options: 0
failed 2 0
1620147510.797375
RegOpenKeyExW
access: 0x00000101
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\B44589A8-017F-47D5-88D0-B12504F6767D_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\B44589A8-017F-47D5-88D0-B12504F6767D_is1
options: 0
failed 2 0
1620147516.516375
RegOpenKeyExW
access: 0x00000108
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\B44589A8-017F-47D5-88D0-B12504F6767D_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\B44589A8-017F-47D5-88D0-B12504F6767D_is1
options: 0
failed 2 0
1620147516.516375
RegOpenKeyExW
access: 0x00000108
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\B44589A8-017F-47D5-88D0-B12504F6767D_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\B44589A8-017F-47D5-88D0-B12504F6767D_is1
options: 0
failed 2 0
1620147516.656375
RegOpenKeyExW
access: 0x00000108
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\System Diagnostics_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\System Diagnostics_is1
options: 0
failed 2 0
1620147516.656375
RegOpenKeyExW
access: 0x00000108
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\System Diagnostics_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\System Diagnostics_is1
options: 0
failed 2 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\taskkill.exe" /f /im "SDG.exe"
cmdline taskkill.exe /f /im "SDG.exe"
Executes one or more WMI queries which can be used to identify virtual machines (1 个事件)
wmi SELECT Capacity FROM Win32_PhysicalMemory
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 216.239.34.21
Disables proxy possibly for traffic interception (1 个事件)
Time & API Arguments Status Return Repeated
1620147132.503396
RegSetValueExA
key_handle: 0x000000000000050c
value: 0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
success 0 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)
Time & API Arguments Status Return Repeated
1620147136.722396
RegSetValueExA
key_handle: 0x0000000000000580
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620147136.722396
RegSetValueExA
key_handle: 0x0000000000000580
value: àcÐo A×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620147136.722396
RegSetValueExA
key_handle: 0x0000000000000580
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620147136.738396
RegSetValueExW
key_handle: 0x0000000000000580
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620147136.753396
RegSetValueExA
key_handle: 0x0000000000000548
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620147136.769396
RegSetValueExA
key_handle: 0x0000000000000548
value: àcÐo A×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620147136.769396
RegSetValueExA
key_handle: 0x0000000000000548
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620147137.066396
RegSetValueExW
key_handle: 0x0000000000000568
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
1620147139.409396
RegSetValueExA
key_handle: 0x0000000000000658
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620147139.409396
RegSetValueExA
key_handle: 0x0000000000000658
value: €Nbq A×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620147139.409396
RegSetValueExA
key_handle: 0x0000000000000658
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620147139.409396
RegSetValueExW
key_handle: 0x0000000000000658
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620147139.488396
RegSetValueExA
key_handle: 0x0000000000000660
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620147139.488396
RegSetValueExA
key_handle: 0x0000000000000660
value: €Nbq A×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620147139.488396
RegSetValueExA
key_handle: 0x0000000000000660
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
Generates some ICMP traffic
File has been identified by 26 AntiVirus engines on VirusTotal as malicious (26 个事件)
McAfee Artemis!0128718B86B4
Cylance Unsafe
K7AntiVirus Adware ( 00507ae21 )
K7GW Adware ( 00507ae21 )
Invincea heuristic
Symantec ML.Attribute.HighConfidence
Kaspersky Hoax.Win32.DeceptPCClean.ilg
NANO-Antivirus Riskware.Win32.DeceptPCClean.fufmlt
Avast Win32:Malware-gen
Sophos Generic PUA CA (PUA)
Comodo Malware@#1rb54a1fo2r5o
DrWeb Program.Unwanted.3414
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition Artemis
Webroot W32.Adware.Gen
Microsoft PUA:Win32/Puasson.A!ml
Endgame malicious (moderate confidence)
AegisLab Hacktool.Win32.DeceptPCClean.3!c
ZoneAlarm Hoax.Win32.DeceptPCClean.ilg
AhnLab-V3 PUP/Win32.Helper.R255045
Malwarebytes PUP.Optional.PCVARK
ESET-NOD32 a variant of Win32/Pcvark.A potentially unwanted
MaxSecure Trojan.Malware.74161428.susgen
Fortinet Riskware/DeceptPCClean
AVG Win32:Malware-gen
Qihoo-360 HEUR/QVM42.3.DC7F.Malware.Gen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2016-04-06 22:39:04

Imports

Library oleaut32.dll:
0x419304 SysFreeString
0x419308 SysReAllocStringLen
0x41930c SysAllocStringLen
Library advapi32.dll:
0x419314 RegQueryValueExW
0x419318 RegOpenKeyExW
0x41931c RegCloseKey
Library user32.dll:
0x419324 GetKeyboardType
0x419328 LoadStringW
0x41932c MessageBoxA
0x419330 CharNextW
Library kernel32.dll:
0x419338 GetACP
0x41933c Sleep
0x419340 VirtualFree
0x419344 VirtualAlloc
0x419348 GetSystemInfo
0x41934c GetTickCount
0x419354 GetVersion
0x419358 GetCurrentThreadId
0x41935c VirtualQuery
0x419360 WideCharToMultiByte
0x419364 MultiByteToWideChar
0x419368 lstrlenW
0x41936c lstrcpynW
0x419370 LoadLibraryExW
0x419374 GetThreadLocale
0x419378 GetStartupInfoA
0x41937c GetProcAddress
0x419380 GetModuleHandleW
0x419384 GetModuleFileNameW
0x419388 GetLocaleInfoW
0x41938c GetCommandLineW
0x419390 FreeLibrary
0x419394 FindFirstFileW
0x419398 FindClose
0x41939c ExitProcess
0x4193a0 WriteFile
0x4193a8 RtlUnwind
0x4193ac RaiseException
0x4193b0 GetStdHandle
0x4193b4 CloseHandle
Library kernel32.dll:
0x4193bc TlsSetValue
0x4193c0 TlsGetValue
0x4193c4 LocalAlloc
0x4193c8 GetModuleHandleW
Library user32.dll:
0x4193d0 CreateWindowExW
0x4193d4 TranslateMessage
0x4193d8 SetWindowLongW
0x4193dc PeekMessageW
0x4193e4 MessageBoxW
0x4193e8 LoadStringW
0x4193ec GetSystemMetrics
0x4193f0 ExitWindowsEx
0x4193f4 DispatchMessageW
0x4193f8 DestroyWindow
0x4193fc CharUpperBuffW
0x419400 CallWindowProcW
Library kernel32.dll:
0x419408 WriteFile
0x41940c WideCharToMultiByte
0x419410 WaitForSingleObject
0x419414 VirtualQuery
0x419418 VirtualProtect
0x41941c VirtualFree
0x419420 VirtualAlloc
0x419424 SizeofResource
0x419428 SignalObjectAndWait
0x41942c SetLastError
0x419430 SetFilePointer
0x419434 SetEvent
0x419438 SetErrorMode
0x41943c SetEndOfFile
0x419440 ResetEvent
0x419444 RemoveDirectoryW
0x419448 ReadFile
0x41944c MultiByteToWideChar
0x419450 LockResource
0x419454 LoadResource
0x419458 LoadLibraryW
0x419460 GetVersionExW
0x419464 GetVersion
0x41946c GetThreadLocale
0x419470 GetSystemInfo
0x419474 GetSystemDirectoryW
0x419478 GetStdHandle
0x41947c GetProcAddress
0x419480 GetModuleHandleW
0x419484 GetModuleFileNameW
0x419488 GetLocaleInfoW
0x41948c GetLastError
0x419490 GetFullPathNameW
0x419494 GetFileSize
0x419498 GetFileAttributesW
0x41949c GetExitCodeProcess
0x4194a4 GetDiskFreeSpaceW
0x4194a8 GetCurrentProcess
0x4194ac GetCommandLineW
0x4194b0 GetCPInfo
0x4194b4 InterlockedExchange
0x4194bc FreeLibrary
0x4194c0 FormatMessageW
0x4194c4 FindResourceW
0x4194c8 EnumCalendarInfoW
0x4194cc DeleteFileW
0x4194d0 CreateProcessW
0x4194d4 CreateFileW
0x4194d8 CreateEventW
0x4194dc CreateDirectoryW
0x4194e0 CloseHandle
Library advapi32.dll:
0x4194e8 RegQueryValueExW
0x4194ec RegOpenKeyExW
0x4194f0 RegCloseKey
0x4194f4 OpenProcessToken
Library comctl32.dll:
0x419500 InitCommonControls
Library kernel32.dll:
0x419508 Sleep
Library advapi32.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49205 66.212.148.117 www.premiumtechiesupport.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 65004 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51809 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702

HTTP & HTTPS Requests

URI Data
http://www.premiumtechiesupport.com/apc/afterinstall/?utm_source=site&utm_campaign=site&utm_medium=site&utm_pubid=&pxl=&x-context=&x-at=&x-uid=-5439840487110307067&x-dm=aHR0cDovL3d3dy5wcmVtaXVtdGVjaGllc3VwcG9ydC5jb20v&x-ccode=in 
GET /apc/afterinstall/?utm_source=site&utm_campaign=site&utm_medium=site&utm_pubid=&pxl=&x-context=&x-at=&x-uid=-5439840487110307067&x-dm=aHR0cDovL3d3dy5wcmVtaXVtdGVjaGllc3VwcG9ydC5jb20v&x-ccode=in HTTP/1.1
Accept: */*
Accept-Language: zh-cn
UA-CPU: AMD64
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: www.premiumtechiesupport.com
Connection: Keep-Alive

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.