9.8
极危
9 个模型检测该样本为恶意!
重新分析
更多

17097ba5ec9193f0873f230dedc4d6a507007f23a02617c081ac8065aead6baa

264e618bd72e1b39bb278ea3f87ee478.exe

分析耗时

78s

最近分析

文件大小

1.1MB
静态报毒 动态报毒 APPDATER APPSINSTALLER DATERAPP HIGH CONFIDENCE LEADLABSLLC MALICIOUS SIGADWARE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Tencent 20190814 1.0.0.1
Kingsoft 20190814 2013.8.14.323
McAfee 20190813 6.0.6.653
CrowdStrike 20190212 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619269230.542343
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Command line console output was observed (50 out of 90 个事件)
Time & API Arguments Status Return Repeated
1619269230.339343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269230.354343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269230.370343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269230.370343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269230.448343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269230.729343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269230.854343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269230.901343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269231.057343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269231.089343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269231.339343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269231.354343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269231.511343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269231.526343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269259.229343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269259.729343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269259.729343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269259.745343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269260.714343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269263.401343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269263.417343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269263.714343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269263.714343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269265.823343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269267.620343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269267.854343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.323343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.339343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.354343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.354343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.386343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.386343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.417343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.432343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.448343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.479343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.495343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.495343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.526343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.526343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.542343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.542343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.557343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.573343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.573343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.589343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.604343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.604343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.620343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
1619269269.651343
WriteConsoleA
buffer: <INVALID POINTER>
console_handle: 0x00000000
failed 0 0
This executable is signed
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .itext
One or more processes crashed (5 个事件)
Time & API Arguments Status Return Repeated
1619269259.229343
__exception__
stacktrace: 
264e618bd72e1b39bb278ea3f87ee478+0x579e3 @ 0x4579e3
264e618bd72e1b39bb278ea3f87ee478+0x58648 @ 0x458648
264e618bd72e1b39bb278ea3f87ee478+0x58a3f @ 0x458a3f
264e618bd72e1b39bb278ea3f87ee478+0x52f83 @ 0x452f83
264e618bd72e1b39bb278ea3f87ee478+0x5b51d @ 0x45b51d
264e618bd72e1b39bb278ea3f87ee478+0x5b85a @ 0x45b85a
264e618bd72e1b39bb278ea3f87ee478+0x5d31f @ 0x45d31f
264e618bd72e1b39bb278ea3f87ee478+0x62cfd @ 0x462cfd
264e618bd72e1b39bb278ea3f87ee478+0x353e1 @ 0x4353e1
264e618bd72e1b39bb278ea3f87ee478+0x618e @ 0x40618e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 38927396
registers.edi: 32468896
registers.eax: 38927396
registers.ebp: 38927476
registers.edx: 0
registers.ebx: 12152
registers.esi: 256
registers.ecx: 7
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
1619269267.854343
__exception__
stacktrace: 
264e618bd72e1b39bb278ea3f87ee478+0x5882e @ 0x45882e
264e618bd72e1b39bb278ea3f87ee478+0x58a6f @ 0x458a6f
264e618bd72e1b39bb278ea3f87ee478+0x52f83 @ 0x452f83
264e618bd72e1b39bb278ea3f87ee478+0x5bdbf @ 0x45bdbf
264e618bd72e1b39bb278ea3f87ee478+0x5c08e @ 0x45c08e
264e618bd72e1b39bb278ea3f87ee478+0x7e9b9 @ 0x47e9b9
264e618bd72e1b39bb278ea3f87ee478+0x6425e @ 0x46425e
264e618bd72e1b39bb278ea3f87ee478+0x66a8f @ 0x466a8f
264e618bd72e1b39bb278ea3f87ee478+0x66ea9 @ 0x466ea9
264e618bd72e1b39bb278ea3f87ee478+0x65763 @ 0x465763
264e618bd72e1b39bb278ea3f87ee478+0x353e1 @ 0x4353e1
264e618bd72e1b39bb278ea3f87ee478+0x618e @ 0x40618e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 38927204
registers.edi: 0
registers.eax: 38927204
registers.ebp: 38927284
registers.edx: 0
registers.ebx: 32295984
registers.esi: 13369356
registers.ecx: 7
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
1619269276.807343
__exception__
stacktrace: 
264e618bd72e1b39bb278ea3f87ee478+0x579e3 @ 0x4579e3
264e618bd72e1b39bb278ea3f87ee478+0x58648 @ 0x458648
264e618bd72e1b39bb278ea3f87ee478+0x58a3f @ 0x458a3f
264e618bd72e1b39bb278ea3f87ee478+0x52f83 @ 0x452f83
264e618bd72e1b39bb278ea3f87ee478+0x5bdbf @ 0x45bdbf
264e618bd72e1b39bb278ea3f87ee478+0x5bf66 @ 0x45bf66
264e618bd72e1b39bb278ea3f87ee478+0x69ebd @ 0x469ebd
264e618bd72e1b39bb278ea3f87ee478+0x6a556 @ 0x46a556
264e618bd72e1b39bb278ea3f87ee478+0x6f1ba @ 0x46f1ba
264e618bd72e1b39bb278ea3f87ee478+0x353e1 @ 0x4353e1
264e618bd72e1b39bb278ea3f87ee478+0x618e @ 0x40618e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 99679156
registers.edi: 32492464
registers.eax: 99679156
registers.ebp: 99679236
registers.edx: 0
registers.ebx: 12007
registers.esi: 256
registers.ecx: 7
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
1619269279.557343
__exception__
stacktrace: 
264e618bd72e1b39bb278ea3f87ee478+0x579e3 @ 0x4579e3
264e618bd72e1b39bb278ea3f87ee478+0x58648 @ 0x458648
264e618bd72e1b39bb278ea3f87ee478+0x58a3f @ 0x458a3f
264e618bd72e1b39bb278ea3f87ee478+0x52f83 @ 0x452f83
264e618bd72e1b39bb278ea3f87ee478+0x5bdbf @ 0x45bdbf
264e618bd72e1b39bb278ea3f87ee478+0x5bf66 @ 0x45bf66
264e618bd72e1b39bb278ea3f87ee478+0x69ebd @ 0x469ebd
264e618bd72e1b39bb278ea3f87ee478+0x6a556 @ 0x46a556
264e618bd72e1b39bb278ea3f87ee478+0x6f1ba @ 0x46f1ba
264e618bd72e1b39bb278ea3f87ee478+0x353e1 @ 0x4353e1
264e618bd72e1b39bb278ea3f87ee478+0x618e @ 0x40618e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 99679156
registers.edi: 32492464
registers.eax: 99679156
registers.ebp: 99679236
registers.edx: 0
registers.ebx: 12007
registers.esi: 256
registers.ecx: 7
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
1619269282.807343
__exception__
stacktrace: 
264e618bd72e1b39bb278ea3f87ee478+0x579e3 @ 0x4579e3
264e618bd72e1b39bb278ea3f87ee478+0x58648 @ 0x458648
264e618bd72e1b39bb278ea3f87ee478+0x58a3f @ 0x458a3f
264e618bd72e1b39bb278ea3f87ee478+0x52f83 @ 0x452f83
264e618bd72e1b39bb278ea3f87ee478+0x5bdbf @ 0x45bdbf
264e618bd72e1b39bb278ea3f87ee478+0x5bf66 @ 0x45bf66
264e618bd72e1b39bb278ea3f87ee478+0x69ebd @ 0x469ebd
264e618bd72e1b39bb278ea3f87ee478+0x6a556 @ 0x46a556
264e618bd72e1b39bb278ea3f87ee478+0x6f1ba @ 0x46f1ba
264e618bd72e1b39bb278ea3f87ee478+0x353e1 @ 0x4353e1
264e618bd72e1b39bb278ea3f87ee478+0x618e @ 0x40618e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 99679156
registers.edi: 32492464
registers.eax: 99679156
registers.ebp: 99679236
registers.edx: 0
registers.ebx: 12007
registers.esi: 256
registers.ecx: 7
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 个事件)
suspicious_features GET method with no useragent header suspicious_request GET http://softprecdn.ru/offerscreens/only_offer_kis_100.png
suspicious_features GET method with no useragent header suspicious_request GET http://softprecdn.ru/offerscreens/avast-740x620x8-en.png
suspicious_features GET method with no useragent header suspicious_request GET http://softprecdn.ru/offerscreens/avast-checkbox.png
suspicious_features GET method with no useragent header suspicious_request GET http://softprecdn.ru/offerscreens/only_offer_ya_100.png?rnd=<random>
suspicious_features POST method with no referer header suspicious_request POST https://softpreapi.ru/analytics/
Performs some HTTP requests (9 个事件)
request GET http://softprecdn.ru/offerscreens/only_offer_kis_100.png
request GET http://softprecdn.ru/offerscreens/avast-740x620x8-en.png
request GET http://softprecdn.ru/offerscreens/avast-checkbox.png
request GET http://softprecdn.ru/offerscreens/only_offer_ya_100.png?rnd=<random>
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request POST https://softpreapi.ru/analytics/
request GET https://softprecdn.ru/cache/unsafe/44x44/softprecdn.ru/offerscreens/opera-icon.png?rnd=<random>
request GET https://softprecdn.ru/cache/unsafe/44x44/softprecdn.ru/offerscreens/yandex-icon.png?rnd=<random>
Sends data using the HTTP POST Method (1 个事件)
request POST https://softpreapi.ru/analytics/
Resolves a suspicious Top Level Domain (TLD) (4 个事件)
domain stdater.ru description Russian Federation domain TLD
domain softprecdn.ru description Russian Federation domain TLD
domain getfreeav.ru description Russian Federation domain TLD
domain softpreapi.ru description Russian Federation domain TLD
A process attempted to delay the analysis task. (1 个事件)
description 264e618bd72e1b39bb278ea3f87ee478.exe tried to sleep 292 seconds, actually delayed analysis time by 292 seconds
Steals private information from local Internet browsers (1 个事件)
registry HKEY_CURRENT_USER\Software\Opera Software
File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 个事件)
APEX Malicious
Kaspersky not-a-virus:HEUR:Downloader.Win32.DaterApp.gen
DrWeb Program.Appdater.1
Antiy-AVL RiskWare[Downloader]/Win32.DaterApp
Endgame malicious (high confidence)
ZoneAlarm not-a-virus:HEUR:Downloader.Win32.DaterApp.gen
AhnLab-V3 PUP/Win32.AppsInstaller.C3044884
VBA32 SigAdware.LeadLabsLLC
Qihoo-360 Win32/Virus.Downloader.42f
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619269232.151343
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.596336547726232 section {'size_of_data': '0x00061200', 'virtual_address': '0x000c8000', 'entropy': 7.596336547726232, 'name': '.rsrc', 'virtual_size': '0x00061200'} description A section with a high entropy has been found
entropy 0.3388573920627998 description Overall entropy of this PE file is high
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Attempts to identify installed AV products by registry key (4 个事件)
registry HKEY_CURRENT_USER\SOFTWARE\AVAST Software\Avast Browser Cleanup
registry HKEY_CURRENT_USER\Software\AVAST Software\Avast
registry HKEY_CURRENT_USER\Software\Wow6432Node\AVAST Software\Avast
registry HKEY_CURRENT_USER\SOFTWARE\AVAST Software\Avast
Disables proxy possibly for traffic interception (1 个事件)
Time & API Arguments Status Return Repeated
1619269231.432343
RegSetValueExA
key_handle: 0x000002d4
value: 0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
success 0 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619269234.714343
RegSetValueExA
key_handle: 0x0000043c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619269234.714343
RegSetValueExA
key_handle: 0x0000043c
value: €²ÁÜD9×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619269234.714343
RegSetValueExA
key_handle: 0x0000043c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619269234.714343
RegSetValueExW
key_handle: 0x0000043c
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619269234.729343
RegSetValueExA
key_handle: 0x00000454
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619269234.729343
RegSetValueExA
key_handle: 0x00000454
value: €²ÁÜD9×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619269234.729343
RegSetValueExA
key_handle: 0x00000454
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619269234.761343
RegSetValueExW
key_handle: 0x00000438
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Network activity contains more than one unique useragent (3 个事件)
process 264e618bd72e1b39bb278ea3f87ee478.exe useragent Appinstaller/63e4a59 (Windows NT 6.1.7601)
process 264e618bd72e1b39bb278ea3f87ee478.exe useragent
process 264e618bd72e1b39bb278ea3f87ee478.exe useragent Mozilla/3.0 (compatible; TALWinInetHTTPClient)
Generates some ICMP traffic
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.26.136:443
dead_host 117.18.237.29:80
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-08-07 19:26:24

Imports

Library oleaut32.dll:
0x4c3814 SysFreeString
0x4c3818 SysReAllocStringLen
0x4c381c SysAllocStringLen
Library advapi32.dll:
0x4c3824 RegQueryValueExW
0x4c3828 RegOpenKeyExW
0x4c382c RegCloseKey
Library user32.dll:
0x4c3834 LoadStringW
0x4c3838 MessageBoxA
0x4c383c CharNextW
Library kernel32.dll:
0x4c3844 lstrcmpiA
0x4c3848 LoadLibraryA
0x4c384c LocalFree
0x4c3850 LocalAlloc
0x4c3854 GetACP
0x4c3858 Sleep
0x4c385c VirtualFree
0x4c3860 VirtualAlloc
0x4c3864 GetSystemInfo
0x4c3868 GetTickCount
0x4c3870 GetVersion
0x4c3874 GetCurrentThreadId
0x4c3878 VirtualQuery
0x4c387c WideCharToMultiByte
0x4c3884 MultiByteToWideChar
0x4c3888 lstrlenW
0x4c388c lstrcpynW
0x4c3890 LoadLibraryExW
0x4c3894 IsValidLocale
0x4c389c GetStartupInfoA
0x4c38a0 GetProcAddress
0x4c38a4 GetModuleHandleW
0x4c38a8 GetModuleFileNameW
0x4c38b0 GetLocaleInfoW
0x4c38b4 GetLastError
0x4c38bc GetCommandLineW
0x4c38c0 FreeLibrary
0x4c38c4 FindFirstFileW
0x4c38c8 FindClose
0x4c38cc ExitProcess
0x4c38d0 ExitThread
0x4c38d4 CreateThread
0x4c38d8 CompareStringW
0x4c38dc WriteFile
0x4c38e4 RtlUnwind
0x4c38e8 RaiseException
0x4c38ec GetStdHandle
0x4c3900 CloseHandle
Library kernel32.dll:
0x4c3908 TlsSetValue
0x4c390c TlsGetValue
0x4c3910 LocalAlloc
0x4c3914 GetModuleHandleW
Library user32.dll:
0x4c391c CreateWindowExW
0x4c3920 WaitMessage
0x4c3924 TranslateMessage
0x4c3928 TrackPopupMenu
0x4c392c ShowWindow
0x4c3930 SetWindowPos
0x4c3934 SetWindowPlacement
0x4c3938 SetScrollInfo
0x4c393c SetParent
0x4c3940 SetForegroundWindow
0x4c3944 SetFocus
0x4c3948 SetCursor
0x4c394c SendMessageW
0x4c3950 ScreenToClient
0x4c3954 ReleaseDC
0x4c3958 ReleaseCapture
0x4c395c RegisterClassW
0x4c3960 PtInRect
0x4c3964 PostQuitMessage
0x4c3968 PostMessageW
0x4c396c PeekMessageW
0x4c3970 OffsetRect
0x4c3974 OemToCharA
0x4c397c MessageBoxW
0x4c3980 LoadStringW
0x4c3984 IsWindowEnabled
0x4c3988 IsWindow
0x4c398c IsIconic
0x4c3990 InvalidateRect
0x4c3998 GetWindowTextW
0x4c399c GetWindowRect
0x4c39a0 GetWindowPlacement
0x4c39a4 GetUpdateRgn
0x4c39a8 GetSystemMetrics
0x4c39ac GetSysColor
0x4c39b0 GetScrollPos
0x4c39b4 GetScrollInfo
0x4c39b8 GetWindow
0x4c39bc GetKeyState
0x4c39c0 GetForegroundWindow
0x4c39c4 GetFocus
0x4c39c8 GetDC
0x4c39cc GetCursorPos
0x4c39d0 GetClientRect
0x4c39d4 GetCapture
0x4c39d8 FindWindowW
0x4c39dc FillRect
0x4c39e0 EnumWindows
0x4c39e4 EndPaint
0x4c39e8 EnableWindow
0x4c39ec DestroyWindow
0x4c39f0 DestroyIcon
0x4c39f4 CreatePopupMenu
0x4c39f8 CopyImage
0x4c39fc ClientToScreen
0x4c3a00 CharUpperBuffW
0x4c3a04 CharUpperW
0x4c3a08 CharNextW
0x4c3a0c CharLowerW
0x4c3a10 BeginPaint
Library gdi32.dll:
0x4c3a18 SetTextColor
0x4c3a1c SetROP2
0x4c3a20 SetBrushOrgEx
0x4c3a24 SetBkMode
0x4c3a28 SetBkColor
0x4c3a2c SelectObject
0x4c3a30 MoveToEx
0x4c3a34 GetStockObject
0x4c3a38 GetDeviceCaps
0x4c3a3c DeleteObject
0x4c3a40 DeleteDC
0x4c3a44 CreateSolidBrush
0x4c3a48 CreateRectRgn
0x4c3a4c CreateBrushIndirect
Library kernel32.dll:
0x4c3a54 lstrlenW
0x4c3a58 lstrcmpW
0x4c3a5c WriteFile
0x4c3a60 WriteConsoleA
0x4c3a64 WideCharToMultiByte
0x4c3a68 WaitForSingleObject
0x4c3a70 VirtualQueryEx
0x4c3a74 VirtualQuery
0x4c3a78 VirtualFree
0x4c3a7c TerminateThread
0x4c3a80 TerminateProcess
0x4c3a84 SwitchToThread
0x4c3a88 SuspendThread
0x4c3a8c Sleep
0x4c3a90 SizeofResource
0x4c3a94 SignalObjectAndWait
0x4c3a98 SetThreadPriority
0x4c3a9c SetLastError
0x4c3aa0 SetFileTime
0x4c3aa4 SetFilePointer
0x4c3aa8 SetFileAttributesW
0x4c3aac SetEvent
0x4c3ab0 SetEndOfFile
0x4c3ab4 ResumeThread
0x4c3ab8 ResetEvent
0x4c3abc ReleaseMutex
0x4c3ac0 ReadFile
0x4c3ac4 OpenProcess
0x4c3ac8 MultiByteToWideChar
0x4c3acc MoveFileW
0x4c3ad0 LockResource
0x4c3ad8 LoadResource
0x4c3adc LoadLibraryW
0x4c3ae4 IsValidLocale
0x4c3aec HeapFree
0x4c3af0 HeapAlloc
0x4c3af4 GetVersionExW
0x4c3af8 GetThreadPriority
0x4c3afc GetThreadLocale
0x4c3b00 GetStdHandle
0x4c3b04 GetProcessHeap
0x4c3b08 GetProcAddress
0x4c3b0c GetModuleHandleW
0x4c3b10 GetModuleFileNameW
0x4c3b14 GetLocaleInfoW
0x4c3b18 GetLocalTime
0x4c3b1c GetLastError
0x4c3b20 GetFullPathNameW
0x4c3b28 GetFileAttributesW
0x4c3b2c GetExitCodeThread
0x4c3b30 GetExitCodeProcess
0x4c3b38 GetDiskFreeSpaceExW
0x4c3b3c GetDiskFreeSpaceW
0x4c3b40 GetDateFormatW
0x4c3b44 GetCurrentThreadId
0x4c3b48 GetCurrentThread
0x4c3b4c GetCurrentProcessId
0x4c3b50 GetCurrentProcess
0x4c3b58 GetComputerNameW
0x4c3b5c GetCPInfo
0x4c3b60 FreeResource
0x4c3b68 InterlockedExchange
0x4c3b70 FreeLibrary
0x4c3b74 FormatMessageA
0x4c3b78 FormatMessageW
0x4c3b7c FindResourceExW
0x4c3b80 FindResourceW
0x4c3b84 FindNextFileW
0x4c3b88 FindFirstFileW
0x4c3b8c FindClose
0x4c3b9c EnumCalendarInfoW
0x4c3ba8 DeleteFileW
0x4c3bb0 CreateThread
0x4c3bb4 CreateProcessW
0x4c3bb8 CreateMutexW
0x4c3bbc CreateFileW
0x4c3bc0 CreateEventW
0x4c3bc4 CreateDirectoryW
0x4c3bc8 CompareStringW
0x4c3bcc CloseHandle
Library advapi32.dll:
0x4c3bd4 RegSetValueExW
0x4c3bd8 RegQueryValueExW
0x4c3bdc RegQueryInfoKeyW
0x4c3be0 RegOpenKeyExW
0x4c3be4 RegFlushKey
0x4c3be8 RegEnumKeyExW
0x4c3bec RegCreateKeyExW
0x4c3bf0 RegCreateKeyW
0x4c3bf4 RegCloseKey
0x4c3bf8 LookupAccountNameW
0x4c3bfc GetUserNameW
Library kernel32.dll:
0x4c3c04 Sleep
Library ole32.dll:
0x4c3c0c CoCreateInstance
0x4c3c10 CoUninitialize
0x4c3c14 CoInitialize
Library oleaut32.dll:
0x4c3c1c SafeArrayPtrOfIndex
0x4c3c20 SafeArrayGetUBound
0x4c3c24 SafeArrayGetLBound
0x4c3c28 SafeArrayCreate
0x4c3c2c VariantChangeType
0x4c3c30 VariantCopy
0x4c3c34 VariantClear
0x4c3c38 VariantInit
Library wininet.dll:
0x4c3c44 InternetWriteFile
0x4c3c4c InternetSetOptionA
0x4c3c50 InternetReadFile
0x4c3c58 InternetOpenA
0x4c3c5c InternetConnectA
0x4c3c60 InternetCloseHandle
0x4c3c64 HttpSendRequestA
0x4c3c68 HttpQueryInfoA
0x4c3c6c HttpOpenRequestA
Library shell32.dll:
0x4c3c7c ShellExecuteExW
0x4c3c80 ShellExecuteW
Library shell32.dll:
0x4c3c88 SHGetFolderPathW
Library shlwapi.dll:
0x4c3c90 PathFileExistsW
Library shlwapi.dll:
0x4c3c98 PathCanonicalizeW
Library ADVAPI32.DLL:
Library kernel32.dll:
Library psapi.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49185 104.21.6.87 softpreapi.ru 443
192.168.56.101 49204 104.21.6.87 softpreapi.ru 443
192.168.56.101 49207 104.21.96.25 softprecdn.ru 443
192.168.56.101 49209 104.21.96.25 softprecdn.ru 80
192.168.56.101 49220 172.67.166.16 stdater.ru 443
192.168.56.101 49225 192.35.177.64 apps.identrust.com 80
192.168.56.101 49232 222.216.123.6 www.download.windowsupdate.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50433 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 54260 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60911 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53500 224.0.0.252 5355
192.168.56.101 54178 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
http://softprecdn.ru/offerscreens/only_offer_kis_100.png 
GET /offerscreens/only_offer_kis_100.png HTTP/1.1
Host: softprecdn.ru
Connection: Keep-Alive
Cookie: __cfduid=dcdd57ea33b221a20090fde2f0f14c9201619273079
http://apps.identrust.com/roots/dstrootcax3.p7c 
GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
http://softprecdn.ru/offerscreens/avast-checkbox.png 
GET /offerscreens/avast-checkbox.png HTTP/1.1
Host: softprecdn.ru
Connection: Keep-Alive
Cookie: __cfduid=dcdd57ea33b221a20090fde2f0f14c9201619273079
http://softprecdn.ru/offerscreens/avast-740x620x8-en.png 
GET /offerscreens/avast-740x620x8-en.png HTTP/1.1
Host: softprecdn.ru
Connection: Keep-Alive
Cookie: __cfduid=dcdd57ea33b221a20090fde2f0f14c9201619273079
http://softprecdn.ru/offerscreens/only_offer_ya_100.png?rnd=<random> 
GET /offerscreens/only_offer_ya_100.png?rnd=<random> HTTP/1.1
Host: softprecdn.ru
Connection: Keep-Alive
Cookie: __cfduid=dcdd57ea33b221a20090fde2f0f14c9201619273079

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.