11.0
0-day
60 个模型检测该样本为恶意!
重新分析
更多

cfdb94b364a42302e1801a4c792b6ce161162e14c2d262eb799cfcf074dafcd8

396e9651ad4114c7417f0b07baa74221.exe

分析耗时

95s

最近分析

文件大小

376.5KB
静态报毒 动态报毒 100% A + TROJ AGEN AI SCORE=81 AIDETECTVM ATTRIBUTE BABH@4X66J7 BLYANHDVF4V BSCOPE CONFIDENCE CRMJOT ELDORADO FTBXH18LGAG GENCIRC GENETIC HIGH CONFIDENCE HIGHCONFIDENCE KAZY KCLOUD KRYPTIK LUDER MALICIOUS PE MALWARE1 MYSTIC QVM20 R64792 SCORE SMODN STATIC AI SUSGEN TEPFER TSPY UNDEFINED UNSAFE XC1@AC3JIIOS ZBOT ZEGOST ZEUS ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba 20190527 0.3.0.5
Tencent Malware.Win32.Gencirc.114b8d4b 20201211 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
McAfee Agent-FCC!396E9651AD41 20201211 6.0.6.653
Avast Win32:Mystic 20201210 21.1.5827.0
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619345036.967212
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Command line console output was observed (50 out of 73 个事件)
Time & API Arguments Status Return Repeated
1619365879.749125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365879.765125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365879.812125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365879.828125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365879.953125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365879.953125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365880.015125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365880.015125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365880.140125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365880.140125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365880.234125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365880.249125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365880.312125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365880.312125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365880.390125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365880.390125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365880.468125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365880.468125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365880.546125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365880.546125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365880.609125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365880.609125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365880.656125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365880.656125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365880.749125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365880.749125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365880.781125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365880.796125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365880.843125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365880.843125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365880.890125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365880.890125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365881.046125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365881.078125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365881.203125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365881.218125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365881.328125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365881.328125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365881.453125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365881.531125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365881.859125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365881.890125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365882.062125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365882.078125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365882.249125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365882.281125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365882.312125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365882.328125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619365882.374125
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
console_handle: 0x00000007
success 1 0
1619365882.374125
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (2 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DigitalProductId
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallDate
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619345036.952212
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 111 个事件)
Time & API Arguments Status Return Repeated
1619345034.608212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 237568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00490000
success 0 0
1619345034.608212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 237568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004d0000
success 0 0
1619345034.639212
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 315392
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619345034.717212
NtAllocateVirtualMemory
process_identifier: 732
region_size: 159744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00520000
success 0 0
1619365518.517645
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004070000
success 0 0
1619365878.84325
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 237568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00490000
success 0 0
1619365878.84325
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 237568
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004d0000
success 0 0
1619365878.85925
NtProtectVirtualMemory
process_identifier: 2976
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 315392
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619365878.85925
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 159744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00540000
success 0 0
1619365878.93725
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01ed0000
success 0 0
1619365878.93725
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01ee0000
success 0 0
1619365878.93725
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026f0000
success 0 0
1619365878.95325
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026c0000
success 0 0
1619365878.95325
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026d0000
success 0 0
1619365878.95325
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026e0000
success 0 0
1619365878.96825
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027d0000
success 0 0
1619365878.96825
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027e0000
success 0 0
1619365878.96825
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027f0000
success 0 0
1619365878.98425
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02800000
success 0 0
1619365878.99925
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02810000
success 0 0
1619365878.99925
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02820000
success 0 0
1619365879.01525
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02830000
success 0 0
1619365879.01525
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02840000
success 0 0
1619365879.03125
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02850000
success 0 0
1619365879.03125
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02860000
success 0 0
1619365879.04625
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02870000
success 0 0
1619365879.06225
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02880000
success 0 0
1619365879.06225
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02890000
success 0 0
1619365879.06225
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028a0000
success 0 0
1619365879.07825
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028b0000
success 0 0
1619365879.07825
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028c0000
success 0 0
1619365879.09325
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027a0000
success 0 0
1619365879.09325
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027b0000
success 0 0
1619365879.09325
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027c0000
success 0 0
1619365879.09325
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028d0000
success 0 0
1619365879.09325
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028e0000
success 0 0
1619365879.10925
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028f0000
success 0 0
1619365879.10925
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02900000
success 0 0
1619365879.10925
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02910000
success 0 0
1619365879.10925
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02920000
success 0 0
1619365879.10925
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02930000
success 0 0
1619365879.10925
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02940000
success 0 0
1619365879.12425
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02950000
success 0 0
1619365879.12425
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02960000
success 0 0
1619365879.12425
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02970000
success 0 0
1619365879.12425
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02980000
success 0 0
1619365879.12425
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02990000
success 0 0
1619365879.12425
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x029a0000
success 0 0
1619365879.14025
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02700000
success 0 0
1619365879.14025
NtAllocateVirtualMemory
process_identifier: 2976
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02710000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp675ad698.bat
Creates a service (1 个事件)
Time & API Arguments Status Return Repeated
1619345039.342212
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x005b5a38
display_name: Security Center Server - 2292174919
error_control: 1
service_name: SecurityCenterServer2292174919
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe"
filepath_r: "C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe"
service_manager_handle: 0x005b5bf0
desired_access: 983551
service_type: 16
password:
success 5986872 0
Creates a suspicious process (1 个事件)
cmdline "C:\Windows\system32\cmd.exe" /c "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\tmp675ad698.bat"
Drops an executable to the user AppData folder (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\396e9651ad4114c7417f0b07baa74221.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619365886.436625
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (4 个事件)
entropy 7.9248178445310655 section {'size_of_data': '0x00031e00', 'virtual_address': '0x00001000', 'entropy': 7.9248178445310655, 'name': '.text', 'virtual_size': '0x00031c2e'} description A section with a high entropy has been found
entropy 7.792856261441423 section {'size_of_data': '0x00003c00', 'virtual_address': '0x00037000', 'entropy': 7.792856261441423, 'name': '.data', 'virtual_size': '0x0002987a'} description A section with a high entropy has been found
entropy 7.968063527120924 section {'size_of_data': '0x00006e00', 'virtual_address': '0x0007a000', 'entropy': 7.968063527120924, 'name': '.rdata', 'virtual_size': '0x00006d98'} description A section with a high entropy has been found
entropy 0.6461949265687583 description Overall entropy of this PE file is high
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619365947.42125
InternetOpenA
proxy_bypass:
access_type: 1
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
Terminates another process (4 个事件)
Time & API Arguments Status Return Repeated
1619365947.40625
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3100
process_handle: 0x0000022c
failed 0 0
1619365947.40625
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3100
process_handle: 0x0000022c
failed 3221225738 0
1619365911.358625
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3256
process_handle: 0x0000045c
failed 0 0
1619365911.358625
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3256
process_handle: 0x0000045c
success 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Installs itself for autorun at Windows startup (50 out of 1035 个事件)
service_name SecurityCenterServer2292174919 service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe"
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Huuzopgoby reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Doypiv\yldoihx.exe
Disables proxy possibly for traffic interception (1 个事件)
Time & API Arguments Status Return Repeated
1619365885.842625
RegSetValueExA
key_handle: 0x000003a0
value: 0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
success 0 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619365888.998625
RegSetValueExA
key_handle: 0x00000498
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619365888.998625
RegSetValueExA
key_handle: 0x00000498
value: p÷¥[»9×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619365888.998625
RegSetValueExA
key_handle: 0x00000498
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619365888.998625
RegSetValueExW
key_handle: 0x00000498
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619365889.014625
RegSetValueExA
key_handle: 0x000004ac
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619365889.014625
RegSetValueExA
key_handle: 0x000004ac
value: p÷¥[»9×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619365889.014625
RegSetValueExA
key_handle: 0x000004ac
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619365889.045625
RegSetValueExW
key_handle: 0x00000494
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2976 resumed a thread in remote process 3100
Time & API Arguments Status Return Repeated
1619365879.51525
NtResumeThread
thread_handle: 0x00000228
suspend_count: 1
process_identifier: 3100
success 0 0
Creates and runs a batch file to remove the original binary (1 个事件)
file d95c7a994c2a9c7c_tmp675ad698.bat
Zeus P2P (Banking Trojan) (16 个事件)
mutex Local\{33B5C8FB-A7E8-3264-73FA-7BE9D130306E}
mutex Global\{3571E09F-8F8C-34A0-4192-CB69E35880EE}
mutex Global\{79F51BDE-74CD-7824-73FA-7BE9D130306E}
mutex Local\{1813ADC9-C2DA-19C2-73FA-7BE9D130306E}
mutex Global\{89ACEDB0-82A3-887D-73FA-7BE9D130306E}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 10820, 'time': 6.870752811431885, 'dport': 5355, 'sport': 49235}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 11156, 'time': 20.837262868881226, 'dport': 5355, 'sport': 51808}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 11476, 'time': 4.180383920669556, 'dport': 5355, 'sport': 56804}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 11812, 'time': 89.27914595603943, 'dport': 5355, 'sport': 57756}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 12132, 'time': 6.870126008987427, 'dport': 5355, 'sport': 60123}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 12460, 'time': 4.547652959823608, 'dport': 5355, 'sport': 62191}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 12788, 'time': 4.853672981262207, 'dport': 1900, 'sport': 1900}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 32198, 'time': 9.266220808029175, 'dport': 3702, 'sport': 50535}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 35054, 'time': 5.282742023468018, 'dport': 3702, 'sport': 56540}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 37782, 'time': 6.8070738315582275, 'dport': 1900, 'sport': 56807}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 41912, 'time': 4.2140209674835205, 'dport': 3702, 'sport': 58707}
Generates some ICMP traffic
File has been identified by 60 AntiVirus engines on VirusTotal as malicious (50 out of 60 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
DrWeb Trojan.Packed.2952
MicroWorld-eScan Gen:Variant.Kazy.169680
FireEye Generic.mg.396e9651ad4114c7
ALYac Gen:Variant.Kazy.169680
Cylance Unsafe
VIPRE Trojan.Win32.Zbot.aba (v)
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
BitDefender Gen:Variant.Kazy.169680
K7GW Riskware ( 0040eff71 )
Cybereason malicious.1ad411
BitDefenderTheta Gen:NN.ZexaF.34670.xC1@aC3JIIoS
Cyren W32/A-2e60ef25!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
ClamAV Win.Worm.Luder-150
Kaspersky HEUR:Trojan.Win32.Generic
NANO-Antivirus Trojan.Win32.Luder.crmjot
AegisLab Worm.Win32.Luder.o!c
Tencent Malware.Win32.Gencirc.114b8d4b
Ad-Aware Gen:Variant.Kazy.169680
Emsisoft Gen:Variant.Kazy.169680 (B)
Comodo TrojWare.Win32.Kryptik.BABH@4x66j7
F-Secure Heuristic.HEUR/AGEN.1119476
Zillya Worm.Luder.Win32.244
TrendMicro TSPY_ZBOT.SMODN
McAfee-GW-Edition BehavesLike.Win32.Generic.fc
Sophos ML/PE-A + Troj/Zbot-EWD
Ikarus Worm.Win32.Luder
Webroot W32.Infostealer.Zeus
Avira HEUR/AGEN.1119476
MAX malware (ai score=81)
Antiy-AVL Worm/Win32.Luder
Kingsoft Win32.Troj.Undef.(kcloud)
Microsoft PWS:Win32/Zbot
Arcabit Trojan.Kazy.D296D0
SUPERAntiSpyware Trojan.Agent/Gen-Zegost
ZoneAlarm HEUR:Trojan.Win32.Generic
GData Gen:Variant.Kazy.169680
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Tepfer.R64792
Acronis suspicious
McAfee Agent-FCC!396E9651AD41
VBA32 BScope.Trojan.Packed
Malwarebytes Backdoor.Agent.RND
Panda Trj/Genetic.gen
ESET-NOD32 Win32/Spy.Zbot.ABC
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2012-07-03 14:39:00

Imports

Library KERNEL32.dll:
0x436000 ReleaseMutex
0x436008 GlobalAlloc
0x43600c lstrlenW
0x436010 CompareStringW
0x436014 GetStartupInfoA
0x436018 InterlockedExchange
0x43601c GetSystemInfo
0x436020 GetCommandLineW
0x436028 GlobalFree
0x43602c GetTickCount
0x436030 GetModuleHandleA
0x436034 CloseHandle
0x436038 SetLastError
0x43603c GetCurrentProcessId
0x436040 CreateMutexW
0x436044 GetCurrentProcess
0x436048 HeapSetInformation
0x43604c LoadLibraryA
0x436054 WaitForSingleObject
0x436058 GetCPInfo
0x43605c lstrcmpiW
Library MSVCRT.dll:
0x436064 __getmainargs
0x436068 exit
0x43606c _ismbblead
0x436070 _controlfp
0x436074 _initterm
0x436078 _exit
0x43607c _XcptFilter
0x436080 _amsg_exit
0x436084 __p__fmode
0x436088 ?terminate@@YAXXZ
0x43608c __setusermatherr
0x436090 __set_app_type
0x436094 _vsnwprintf
0x436098 _cexit
0x43609c _acmdln
0x4360a0 __p__commode
Library ADVAPI32.dll:
0x4360a8 RegDeleteKeyW
0x4360ac RegQueryValueExW
0x4360b4 RegOpenKeyExW
0x4360b8 RegSetValueExW
0x4360c0 RegCloseKey
0x4360c4 FreeSid
0x4360c8 RegEnumKeyExW
0x4360cc RegCreateKeyExW
Library USER32.dll:
0x4360d4 MessageBoxW
0x4360d8 LoadStringW
Library TAPI32.dll:
0x4360e0 lineRemoveProvider

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900
192.168.56.101 58707 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.