15.2
0-day
28 个模型检测该样本为恶意!
重新分析
更多

c8410b8060b5fdcbb93f1023be48ef744159aba91ebf6d9a548daa3d40cb5747

3084bb6d51095d71caf94ea2c133f50c.exe

分析耗时

130s

最近分析

文件大小

2.0MB
静态报毒 动态报毒 9XQL2CUDNMM5GK9OFYREXQ ARTEMIS BUNDLER FUSIONCORE GCJMYK GENERIC PUA GF GENERIC@ML HIGH CONFIDENCE INSTALLCORE QUCO RDMK SCORE SUSGEN UNSAFE VIGUA 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast 20200528 18.4.3895.0
Kingsoft 20200528 2013.8.14.323
McAfee Artemis!3084BB6D5109 20200528 6.0.6.653
Tencent 20200528 1.0.0.1
CrowdStrike 20190702 1.0
静态指标
Queries for the computername (7 个事件)
Time & API Arguments Status Return Repeated
1620743131.011125
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1620743196.793125
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1620743214.621625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620743214.871625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620743216.371625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620743218.777625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620743208.730375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620743128.496625
IsDebuggerPresent
failed 0 0
Command line console output was observed (10 个事件)
Time & API Arguments Status Return Repeated
1620743201.1835
WriteConsoleA
buffer: 7-Zip (a) 17.01 beta (x86) : Copyright (c) 1999-2017 Igor Pavlov : 2017-08-28
console_handle: 0x00000007
success 1 0
1620743201.1835
WriteConsoleA
buffer: Scanning the drive for archives:
console_handle: 0x00000007
success 1 0
1620743201.3865
WriteConsoleA
buffer: 0M Scan C:\Users\ADMINI~1.OSK\AppData\Local\Temp\is-03STE.tmp\
console_handle: 0x00000007
success 1 0
1620743201.4335
WriteConsoleA
buffer: ERROR:
console_handle: 0x0000000b
success 1 0
1620743201.4335
WriteConsoleA
buffer: ϵͳÕÒ²»µ½Ö¸¶¨µÄÎļþ¡£
console_handle: 0x0000000b
success 1 0
1620743201.4805
WriteConsoleA
buffer: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\is-03STE.tmp\megacubo.7z
console_handle: 0x0000000b
success 1 0
1620743201.5115
WriteConsoleA
buffer: System ERROR:
console_handle: 0x0000000b
success 1 0
1620743201.5115
WriteConsoleA
buffer: ϵͳÕÒ²»µ½Ö¸¶¨µÄÎļþ¡£
console_handle: 0x0000000b
success 1 0
1620743210.277375
WriteConsoleW
buffer: 错误: 没有找到进程 "megacubo.exe"。
console_handle: 0x0000000b
success 1 0
1620743210.277375
WriteConsoleW
buffer: 错误: 没有找到进程 "ffmpeg.exe"。
console_handle: 0x0000000b
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (2 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid
Tries to locate where the browsers are installed (1 个事件)
file c:\program files\Google\Chrome\application\chrome.exe
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620743186.215125
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1620743218.183125
__exception__
stacktrace: 
3084bb6d51095d71caf94ea2c133f50c+0x8339e @ 0x48339e
3084bb6d51095d71caf94ea2c133f50c+0x83fad @ 0x483fad
3084bb6d51095d71caf94ea2c133f50c+0x84064 @ 0x484064
3084bb6d51095d71caf94ea2c133f50c+0x6c26d @ 0x46c26d
3084bb6d51095d71caf94ea2c133f50c+0x413cf @ 0x4413cf
3084bb6d51095d71caf94ea2c133f50c+0x42978 @ 0x442978
3084bb6d51095d71caf94ea2c133f50c+0x45bdc @ 0x445bdc
3084bb6d51095d71caf94ea2c133f50c+0x3faf7 @ 0x43faf7
3084bb6d51095d71caf94ea2c133f50c+0x3d76b @ 0x43d76b
3084bb6d51095d71caf94ea2c133f50c+0x46760 @ 0x446760
3084bb6d51095d71caf94ea2c133f50c+0x4626f @ 0x44626f
3084bb6d51095d71caf94ea2c133f50c+0x16c30 @ 0x416c30
3084bb6d51095d71caf94ea2c133f50c+0x1f3c2 @ 0x41f3c2
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5
GetEffectiveClientRect+0x3409 DPA_Merge-0xa5a comctl32+0xa4601 @ 0x75434601
GetEffectiveClientRect+0x346b DPA_Merge-0x9f8 comctl32+0xa4663 @ 0x75434663
GetEffectiveClientRect+0x32f5 DPA_Merge-0xb6e comctl32+0xa44ed @ 0x754344ed
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x775b0d27
CallWindowProcA+0x1b GetClassNameA-0x95 user32+0x2794a @ 0x775b794a
3084bb6d51095d71caf94ea2c133f50c+0x16bf5 @ 0x416bf5

registers.esp: 1634496
registers.edi: 1
registers.eax: 1634496
registers.ebp: 1634576
registers.edx: 0
registers.ebx: 1
registers.esi: 31550656
registers.ecx: 7
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedface
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
Performs some HTTP requests (8 个事件)
request GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
request HEAD http://megacubo.tv/bin/package/?arch=64&src=3084bb6d51095d71caf94ea2c133f50c&lic=Free
request GET http://crl3.digicert.com/Omniroot2025.crl
request GET http://megacubo.tv/bin/package/?arch=64&src=3084bb6d51095d71caf94ea2c133f50c&lic=Free
request HEAD https://megacubo.tv/bin/package/?arch=64&src=3084bb6d51095d71caf94ea2c133f50c&lic=Free
request HEAD https://megacubo.tv/bin/packages/16.1.4_free_x64.7z
request GET https://megacubo.tv/bin/package/?arch=64&src=3084bb6d51095d71caf94ea2c133f50c&lic=Free
request GET https://megacubo.tv/bin/packages/16.1.4_free_x64.7z
Allocates read-write-execute memory (usually to unpack itself) (9 个事件)
Time & API Arguments Status Return Repeated
1620743128.293625
NtProtectVirtualMemory
process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1620743128.293625
NtProtectVirtualMemory
process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1620743128.293625
NtProtectVirtualMemory
process_identifier: 1544
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 163840
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0040f000
success 0 0
1620743129.511125
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1620743180.933125
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 929792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04f50000
success 0 0
1620743180.980125
NtProtectVirtualMemory
process_identifier: 2272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 1204224
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05351000
success 0 0
1620743180.980125
NtProtectVirtualMemory
process_identifier: 2272
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 925696
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05477000
success 0 0
1620743181.105125
NtAllocateVirtualMemory
process_identifier: 2272
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05050000
success 0 0
1620743203.121625
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004810000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
A process attempted to delay the analysis task. (1 个事件)
description 3084bb6d51095d71caf94ea2c133f50c.tmp tried to sleep 203 seconds, actually delayed analysis time by 203 seconds
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (5 个事件)
Time & API Arguments Status Return Repeated
1620743185.652125
GetDiskFreeSpaceW
root_path: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\is-TSA4J.tmp\3084bb6d51095d71caf94ea2c133f50c.tmp
sectors_per_cluster: 99284676
number_of_free_clusters: 0
total_number_of_clusters: 90630976
bytes_per_sector: 0
failed 0 0
1620743186.215125
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8
number_of_free_clusters: 4787719
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620743192.402125
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8
number_of_free_clusters: 4740919
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620743196.808125
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8
number_of_free_clusters: 4726532
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620743222.730625
GetDiskFreeSpaceExW
root_path: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Explorer
free_bytes_available: 19348299776
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
Steals private information from local Internet browsers (28 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ZxcvbnData\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\MEIPreload\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\pnacl\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\OnDeviceHeadSuggestModel\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\SafetyTips\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\SwReporter\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Floc\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\OriginTrials\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ThirdPartyModuleList64\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Subresource Filter\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\TLSDeprecationConfig\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Safe Browsing\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\hyphen-data\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cache\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crowd Deny\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\FontLookupTableCache\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\AutofillStates\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\WidevineCdm\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\RecoveryImproved\Cache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\GrShaderCache\Cache
Creates executable files on the filesystem (7 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-03STE.tmp\_isetup\_shfoldr.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-03STE.tmp\libSoftMeter.dll
file C:\Users\Administrator.Oskar-PC\Desktop\Megacubo.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-03STE.tmp\XbiMTMYCfxT.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-03STE.tmp\idp.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Megacubo\Megacubo.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Megacubo.lnk
Creates a shortcut to an executable file (14 个事件)
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file C:\Users\Administrator.Oskar-PC\Desktop\Megacubo.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
file C:\Users\Public\Desktop\Google Chrome.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Megacubo\Megacubo.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Megacubo.lnk
Executes one or more WMI queries (1 个事件)
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "megacubo.exe" OR Caption = "ffmpeg.exe")
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620743166.808125
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (11 个事件)
Time & API Arguments Status Return Repeated
1620743216.371625
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620743216.558625
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620743216.746625
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620743216.965625
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620743217.168625
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620743217.543625
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620743217.621625
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620743218.136625
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620743201.1685
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1620743201.3715
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
1620743208.683375
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Expresses interest in specific running processes (1 个事件)
process 3084bb6d51095d71caf94ea2c133f50c.tmp
Queries for potentially installed applications (4 个事件)
Time & API Arguments Status Return Repeated
1620743166.496125
RegOpenKeyExA
access: 0x00000001
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{73924FFF-7A47-424D-BA45-659BB5CC194A}_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{73924FFF-7A47-424D-BA45-659BB5CC194A}_is1
options: 0
failed 2 0
1620743166.496125
RegOpenKeyExA
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{73924FFF-7A47-424D-BA45-659BB5CC194A}_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{73924FFF-7A47-424D-BA45-659BB5CC194A}_is1
options: 0
failed 2 0
1620743199.668125
RegOpenKeyExA
access: 0x00000008
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{73924FFF-7A47-424D-BA45-659BB5CC194A}_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{73924FFF-7A47-424D-BA45-659BB5CC194A}_is1
options: 0
failed 2 0
1620743199.683125
RegOpenKeyExA
access: 0x00000008
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{73924FFF-7A47-424D-BA45-659BB5CC194A}_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{73924FFF-7A47-424D-BA45-659BB5CC194A}_is1
options: 0
failed 2 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline "C:\Windows\system32\taskkill.exe" /F /IM megacubo.exe /IM ffmpeg.exe
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates an Alternate Data Stream (ADS) (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3084bb6d51095d71caf94ea2c133f50c.exe:Zone.Identifier:$DATA
Checks the version of Bios, possibly for anti-virtualization (1 个事件)
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
Checks the CPU name from registry, possibly for anti-virtualization (1 个事件)
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
Disables proxy possibly for traffic interception (1 个事件)
Time & API Arguments Status Return Repeated
1620743131.590125
RegSetValueExA
key_handle: 0x00000300
value: 0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
success 0 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620743169.371125
RegSetValueExA
key_handle: 0x00000420
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620743169.371125
RegSetValueExA
key_handle: 0x00000420
value: °Ö÷yF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620743169.371125
RegSetValueExA
key_handle: 0x00000420
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620743169.371125
RegSetValueExW
key_handle: 0x00000420
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620743169.371125
RegSetValueExA
key_handle: 0x0000043c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620743169.386125
RegSetValueExA
key_handle: 0x0000043c
value: °Ö÷yF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620743169.386125
RegSetValueExA
key_handle: 0x0000043c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620743169.418125
RegSetValueExW
key_handle: 0x0000041c
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x40d0c4 VirtualFree
0x40d0c8 VirtualAlloc
0x40d0cc LocalFree
0x40d0d0 LocalAlloc
0x40d0d4 WideCharToMultiByte
0x40d0d8 TlsSetValue
0x40d0dc TlsGetValue
0x40d0e0 MultiByteToWideChar
0x40d0e4 GetModuleHandleA
0x40d0e8 GetLastError
0x40d0ec GetCommandLineA
0x40d0f0 WriteFile
0x40d0f4 SetFilePointer
0x40d0f8 SetEndOfFile
0x40d0fc RtlUnwind
0x40d100 ReadFile
0x40d104 RaiseException
0x40d108 GetStdHandle
0x40d10c GetFileSize
0x40d110 GetSystemTime
0x40d114 GetFileType
0x40d118 ExitProcess
0x40d11c CreateFileA
0x40d120 CloseHandle
Library user32.dll:
0x40d128 MessageBoxA
Library oleaut32.dll:
0x40d130 VariantChangeTypeEx
0x40d134 VariantCopyInd
0x40d138 VariantClear
0x40d13c SysStringLen
0x40d140 SysAllocStringLen
Library advapi32.dll:
0x40d148 RegQueryValueExA
0x40d14c RegOpenKeyExA
0x40d150 RegCloseKey
0x40d154 OpenProcessToken
Library kernel32.dll:
0x40d160 WriteFile
0x40d164 VirtualQuery
0x40d168 VirtualProtect
0x40d16c VirtualFree
0x40d170 VirtualAlloc
0x40d174 Sleep
0x40d178 SizeofResource
0x40d17c SetLastError
0x40d180 SetFilePointer
0x40d184 SetErrorMode
0x40d188 SetEndOfFile
0x40d18c RemoveDirectoryA
0x40d190 ReadFile
0x40d194 LockResource
0x40d198 LoadResource
0x40d19c LoadLibraryA
0x40d1a0 IsDBCSLeadByte
0x40d1a8 GetVersionExA
0x40d1b0 GetSystemInfo
0x40d1b8 GetProcAddress
0x40d1bc GetModuleHandleA
0x40d1c0 GetModuleFileNameA
0x40d1c4 GetLocaleInfoA
0x40d1c8 GetLastError
0x40d1cc GetFullPathNameA
0x40d1d0 GetFileSize
0x40d1d4 GetFileAttributesA
0x40d1d8 GetExitCodeProcess
0x40d1e0 GetCurrentProcess
0x40d1e4 GetCommandLineA
0x40d1e8 GetACP
0x40d1ec InterlockedExchange
0x40d1f0 FormatMessageA
0x40d1f4 FindResourceA
0x40d1f8 DeleteFileA
0x40d1fc CreateProcessA
0x40d200 CreateFileA
0x40d204 CreateDirectoryA
0x40d208 CloseHandle
Library user32.dll:
0x40d210 TranslateMessage
0x40d214 SetWindowLongA
0x40d218 PeekMessageA
0x40d220 MessageBoxA
0x40d224 LoadStringA
0x40d228 ExitWindowsEx
0x40d22c DispatchMessageA
0x40d230 DestroyWindow
0x40d234 CreateWindowExA
0x40d238 CallWindowProcA
0x40d23c CharPrevA
Library comctl32.dll:
0x40d244 InitCommonControls
Library advapi32.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49194 104.21.22.178 megacubo.tv 443
192.168.56.101 49206 104.21.22.178 megacubo.tv 80
192.168.56.101 49208 104.21.22.178 megacubo.tv 443
192.168.56.101 49209 104.21.22.178 megacubo.tv 443
192.168.56.101 49202 93.184.220.29 crl3.digicert.com 80
192.168.56.101 49207 93.184.220.29 crl3.digicert.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49710 114.114.114.114 53
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50047 114.114.114.114 53
192.168.56.101 50320 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 53661 114.114.114.114 53
192.168.56.101 55331 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 57089 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 59789 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53

HTTP & HTTPS Requests

URI Data
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.digicert.com
http://megacubo.tv/bin/package/?arch=64&src=3084bb6d51095d71caf94ea2c133f50c&lic=Free 
GET /bin/package/?arch=64&src=3084bb6d51095d71caf94ea2c133f50c&lic=Free HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: megacubo.tv
Connection: Keep-Alive
Cache-Control: no-cache
http://megacubo.tv/bin/package/?arch=64&src=3084bb6d51095d71caf94ea2c133f50c&lic=Free 
HEAD /bin/package/?arch=64&src=3084bb6d51095d71caf94ea2c133f50c&lic=Free HTTP/1.1
Accept: */*
User-Agent: InnoDownloadPlugin/1.5
Host: megacubo.tv
Content-Length: 0
Connection: Keep-Alive
Cache-Control: no-cache
http://crl3.digicert.com/Omniroot2025.crl 
GET /Omniroot2025.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl3.digicert.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.