6.8
高危
1 个模型检测该样本为恶意!
重新分析
更多

e7610c70046ad33f68b7bdecbdee441993e2d0bf30b6285510f9e23b4874ee72

4269982ef85ad7fd773189dac639a2ec.exe

分析耗时

108s

最近分析

文件大小

946.1KB
静态报毒 动态报毒 EBTXV
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20210420 6.0.6.653
Alibaba 20190527 0.3.0.5
Avast 20210420 21.1.5827.0
Tencent 20210421 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20210421 2017.9.26.565
CrowdStrike 20210203 1.0
静态指标
This executable is signed
This executable has a PDB path (1 个事件)
pdb_path d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620751355.408751
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:3593119772&cup2hreq=763875531e0b93172e29a84b2eccd5223104e188de9cf0c87c37584282805ebc
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620722420&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=8eb86e1da701533d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620722420&mv=m&mvi=3
request POST https://update.googleapis.com/service/update2?cup2key=10:3593119772&cup2hreq=763875531e0b93172e29a84b2eccd5223104e188de9cf0c87c37584282805ebc
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:3593119772&cup2hreq=763875531e0b93172e29a84b2eccd5223104e188de9cf0c87c37584282805ebc
Allocates read-write-execute memory (usually to unpack itself) (50 out of 334 个事件)
Time & API Arguments Status Return Repeated
1620726222.122176
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75121000
success 0 0
1620726222.372176
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75101000
success 0 0
1620726223.794176
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a11000
success 0 0
1620726223.794176
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x766c1000
success 0 0
1620726223.794176
NtProtectVirtualMemory
process_identifier: 732
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77691000
success 0 0
1620751353.174751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74231000
success 0 0
1620751355.346751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75391000
success 0 0
1620751355.408751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75011000
success 0 0
1620751355.408751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76881000
success 0 0
1620751356.877751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x10080000
success 0 0
1620751356.877751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77531000
success 0 0
1620751356.877751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a01000
success 0 0
1620751356.877751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x764c1000
success 0 0
1620751356.877751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04471000
success 0 0
1620751356.877751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74091000
success 0 0
1620751356.877751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74081000
success 0 0
1620751356.877751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74001000
success 0 0
1620751356.877751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73fd1000
success 0 0
1620751356.877751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x044bc000
success 0 0
1620751356.971751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73fc1000
success 0 0
1620751358.174751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x10080000
success 0 0
1620751358.174751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77531000
success 0 0
1620751358.174751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a01000
success 0 0
1620751358.174751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x764c1000
success 0 0
1620751358.174751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04471000
success 0 0
1620751358.174751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73ed1000
success 0 0
1620751358.174751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x741e1000
success 0 0
1620751358.174751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x044bc000
success 0 0
1620751358.315751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74181000
success 0 0
1620751361.299751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x10080000
success 0 0
1620751361.299751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77531000
success 0 0
1620751361.299751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a01000
success 0 0
1620751361.299751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x764c1000
success 0 0
1620751361.299751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04481000
success 0 0
1620751361.299751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73de1000
success 0 0
1620751361.299751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74171000
success 0 0
1620751361.299751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x044cc000
success 0 0
1620751362.502751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x10080000
success 0 0
1620751362.502751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77531000
success 0 0
1620751362.502751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a01000
success 0 0
1620751362.502751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x764c1000
success 0 0
1620751362.502751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04481000
success 0 0
1620751362.502751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73ed1000
success 0 0
1620751362.502751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x741e1000
success 0 0
1620751362.502751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x044cc000
success 0 0
1620751365.533751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x10080000
success 0 0
1620751365.533751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77531000
success 0 0
1620751365.533751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a01000
success 0 0
1620751365.533751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x764c1000
success 0 0
1620751365.533751
NtProtectVirtualMemory
process_identifier: 2712
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x04481000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Foreign language identified in PE resource (18 个事件)
name RT_BITMAP language LANG_CHINESE offset 0x0002148c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000bb6
name RT_ICON language LANG_CHINESE offset 0x000229bc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000008a8
name RT_ICON language LANG_CHINESE offset 0x000229bc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000008a8
name RT_ICON language LANG_CHINESE offset 0x000229bc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000008a8
name RT_ICON language LANG_CHINESE offset 0x000229bc filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000008a8
name RT_DIALOG language LANG_CHINESE offset 0x000238f4 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000019e
name RT_DIALOG language LANG_CHINESE offset 0x000238f4 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000019e
name RT_DIALOG language LANG_CHINESE offset 0x000238f4 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000019e
name RT_DIALOG language LANG_CHINESE offset 0x000238f4 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000019e
name RT_DIALOG language LANG_CHINESE offset 0x000238f4 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000019e
name RT_DIALOG language LANG_CHINESE offset 0x000238f4 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000019e
name RT_STRING language LANG_CHINESE offset 0x00023f5c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000002c
name RT_STRING language LANG_CHINESE offset 0x00023f5c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000002c
name RT_STRING language LANG_CHINESE offset 0x00023f5c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000002c
name RT_STRING language LANG_CHINESE offset 0x00023f5c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000002c
name RT_STRING language LANG_CHINESE offset 0x00023f5c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000002c
name RT_GROUP_ICON language LANG_CHINESE offset 0x00023f88 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000003e
name RT_MANIFEST language LANG_CHINESE offset 0x00023fc8 filetype XML 1.0 document, ASCII text, with CRLF line terminators sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x000005b8
Creates executable files on the filesystem (10 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2\XDViewV6.575\HHNetClient.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2\XDViewV6.575\Hook.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2\XDViewV6.575\XDView.ocx
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2\XDViewV6.575\HH5PlayerSDK.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2\XDViewV6.575\aacdecoder.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2\XDViewV6.575\BmpToJpg.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2\XDViewV6.575\ocxInstall.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2\XDViewV6.575\hi_h264dec.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2\XDViewV6.575\Install_en.bat
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2\XDViewV6.575\Install.bat
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2\XDViewV6.575\ocxInstall.exe
Drops an executable to the user AppData folder (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2\XDViewV6.575\HHNetClient.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2\XDViewV6.575\aacdecoder.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2\XDViewV6.575\Hook.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\RarSFX2\XDViewV6.575\ocxInstall.exe
File has been identified by one AntiVirus engine on VirusTotal as malicious (1 个事件)
Jiangmin Trojan.Generic.ebtxv
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1620751356.893751
SetWindowsHookExA
thread_identifier: 0
callback_function: 0x041210b0
module_address: 0x04120000
hook_identifier: 2 (WH_KEYBOARD)
success 852089 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 216.58.200.46:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2009-08-16 19:05:35

Imports

Library COMCTL32.dll:
0x41202c
Library KERNEL32.dll:
0x412068 DeleteFileA
0x41206c DeleteFileW
0x412070 CreateDirectoryA
0x412074 CreateDirectoryW
0x412078 FindClose
0x41207c FindNextFileA
0x412080 FindFirstFileA
0x412084 FindNextFileW
0x412088 FindFirstFileW
0x41208c GetTickCount
0x412090 WideCharToMultiByte
0x412094 MultiByteToWideChar
0x412098 GetVersionExA
0x41209c GlobalAlloc
0x4120a0 lstrlenA
0x4120a4 GetModuleFileNameA
0x4120a8 FindResourceA
0x4120ac GetModuleHandleA
0x4120b0 HeapAlloc
0x4120b4 GetProcessHeap
0x4120b8 HeapFree
0x4120bc HeapReAlloc
0x4120c0 CompareStringA
0x4120c4 ExitProcess
0x4120c8 GetLocaleInfoA
0x4120cc GetNumberFormatA
0x4120d0 GetProcAddress
0x4120d8 GetDateFormatA
0x4120dc GetTimeFormatA
0x4120ec WaitForSingleObject
0x4120f4 Sleep
0x4120f8 GetTempPathA
0x4120fc MoveFileExA
0x412100 GetModuleFileNameW
0x412108 GetCommandLineA
0x412114 GetSystemTime
0x412118 IsDBCSLeadByte
0x41211c GetCPInfo
0x412120 FreeLibrary
0x412124 LoadLibraryA
0x41212c GetFullPathNameA
0x412130 SetFileAttributesW
0x412134 SetFileAttributesA
0x412138 GetFileAttributesW
0x41213c GetFileAttributesA
0x412140 WriteFile
0x412144 GetStdHandle
0x412148 ReadFile
0x41214c SetLastError
0x412150 CreateFileW
0x412154 CreateFileA
0x412158 GetFileType
0x41215c SetEndOfFile
0x412160 SetFilePointer
0x412164 MoveFileA
0x412168 SetFileTime
0x41216c GetCurrentProcess
0x412170 CloseHandle
0x412174 GetLastError
0x412178 lstrcmpiA
Library USER32.dll:
0x4121ac ReleaseDC
0x4121b0 GetDC
0x4121b4 SendMessageA
0x4121b8 wsprintfA
0x4121bc SetDlgItemTextA
0x4121c0 EndDialog
0x4121c4 DestroyIcon
0x4121c8 SendDlgItemMessageA
0x4121cc GetDlgItemTextA
0x4121d0 DialogBoxParamA
0x4121d4 IsWindowVisible
0x4121d8 WaitForInputIdle
0x4121dc GetSysColor
0x4121e0 PostMessageA
0x4121e4 SetMenu
0x4121e8 SetFocus
0x4121ec LoadBitmapA
0x4121f0 LoadIconA
0x4121f4 CharToOemA
0x4121f8 OemToCharA
0x4121fc GetClassNameA
0x412200 CharUpperA
0x412204 GetWindowRect
0x412208 GetParent
0x41220c MapWindowPoints
0x412210 CreateWindowExA
0x412214 UpdateWindow
0x412218 SetWindowTextA
0x41221c LoadCursorA
0x412220 RegisterClassExA
0x412224 SetWindowLongA
0x412228 GetWindowLongA
0x41222c DefWindowProcA
0x412230 PeekMessageA
0x412234 GetMessageA
0x412238 DispatchMessageA
0x41223c DestroyWindow
0x412240 GetClientRect
0x412244 CopyRect
0x412248 IsWindow
0x41224c MessageBoxA
0x412250 ShowWindow
0x412254 GetDlgItem
0x412258 EnableWindow
0x41225c FindWindowExA
0x412260 wvsprintfA
0x412264 CharToOemBuffA
0x412268 LoadStringA
0x41226c SetWindowPos
0x412270 GetWindowTextA
0x412274 GetWindow
0x412278 GetSystemMetrics
0x41227c OemToCharBuffA
0x412280 TranslateMessage
Library GDI32.dll:
0x412044 GetDeviceCaps
0x412048 GetObjectA
0x412050 SelectObject
0x412054 StretchBlt
0x412058 CreateCompatibleDC
0x41205c DeleteObject
0x412060 DeleteDC
Library COMDLG32.dll:
0x412034 GetSaveFileNameA
0x41203c GetOpenFileNameA
Library ADVAPI32.dll:
0x412004 RegOpenKeyExA
0x412008 RegQueryValueExA
0x41200c RegCreateKeyExA
0x412010 RegSetValueExA
0x412014 RegCloseKey
0x412018 SetFileSecurityW
0x41201c SetFileSecurityA
0x412020 OpenProcessToken
Library SHELL32.dll:
0x412188 ShellExecuteExA
0x41218c SHFileOperationA
0x412190 SHGetFileInfoA
0x412198 SHGetMalloc
0x41219c SHBrowseForFolderA
0x4121a4 SHChangeNotify
Library ole32.dll:
0x41228c OleInitialize
0x412290 CoCreateInstance
0x412294 OleUninitialize
0x412298 CLSIDFromString
Library OLEAUT32.dll:
0x412180 VariantInit

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49227 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49229 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49226 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49224 203.208.41.98 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=8eb86e1da701533d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620722420&mv=m&mvi=3 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=8eb86e1da701533d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620722420&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620722420&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620722420&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.