SmartHawk

13.4

0-day

12 个模型检测该样本为恶意！

重新分析

下载样本

aa096258616661670fa41640ec44d0b81359e6a4c97bdf1057f2a7db3c607c6e

5986b26f278584efee1350b72626c604.exe

分析耗时

104s

最近分析

文件大小

3.4MB

静态报毒动态报毒 BUNDLEINSTALLER CAYPNAMER CLOUD HIGH CONFIDENCE MALICIOUS QVM41 SOFT32 WEBCOMPANION 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀时间	查杀版本
McAfee	20200801	6.0.6.653
Alibaba	20190527	0.3.0.5
Baidu	20190318	1.0.0.2
Avast	20200801	18.4.3895.0
Kingsoft	20200801	2013.8.14.323
Tencent	20200801	1.0.0.1
CrowdStrike	20190702	1.0

Queries for the computername (49 个事件)

Time & API	Arguments	Status	Return
1620949125.101375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949125.914375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949126.117375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949126.273375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949126.710375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949126.789375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949126.929375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949127.023375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949127.179375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949127.257375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949127.289375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949127.335375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949127.382375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949127.414375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949127.445375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949127.476375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949127.539375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949127.632375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949129.492375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949131.023375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949132.351375 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949130.945626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949133.429626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949138.648626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949138.789626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949138.820626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949138.820626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949139.007626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949140.648626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949142.179626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949142.539626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949143.632626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949145.132626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949145.226626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949145.304626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949145.398626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949145.476626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949145.539626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949145.632626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949145.820626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949145.945626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949146.085626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949146.273626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949146.492626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949146.648626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949146.789626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949146.851626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949146.960626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620949147.085626 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (9 个事件)

Time & API	Arguments	Status	Return	Repeated
1620949114.804 IsDebuggerPresent		failed	0	0
1620949127.554626 IsDebuggerPresent		failed	0	0
1620949127.554626 IsDebuggerPresent		failed	0	0
1620949140.445626 IsDebuggerPresent		failed	0	0
1620949140.742626 IsDebuggerPresent		failed	0	0
1620949141.007626 IsDebuggerPresent		failed	0	0
1620949141.476626 IsDebuggerPresent		failed	0	0
1620949141.679626 IsDebuggerPresent		failed	0	0
1620949141.804626 IsDebuggerPresent		failed	0	0

Uses Windows APIs to generate a cryptographic key (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620949131.757626 CryptExportKey	crypto_handle: 0x00516e60 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1	0

This executable is signed

Tries to locate where the browsers are installed (4 个事件)

file	C:\Program Files\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\InstallDate
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620949124.320375 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.sxdata

The executable uses a known packer (1 个事件)

packer

Armadillo v1.71

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 个事件)

suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart
suspicious_features	GET method with no useragent header	suspicious_request	GET https://h2oapi.adaware.com/v1/bundleinfo/2953f8e6136b142530d98999e0ea672314b1eb6e
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://sos.adaware.com/v1/bundle/list/?bundleId=SFT002
suspicious_features	GET method with no useragent header	suspicious_request	GET https://sos.adaware.com/v1/offer/detail/?_id=575a0a3c11ae1c0f3a499539d6299cb1929c6584
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallStart
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=PageShown
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleProposedOffers
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleOffersApproved

Performs some HTTP requests (10 个事件)

request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart
request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart
request	GET https://h2oapi.adaware.com/v1/bundleinfo/2953f8e6136b142530d98999e0ea672314b1eb6e
request	POST https://sos.adaware.com/v1/bundle/list/?bundleId=SFT002
request	GET https://sos.adaware.com/v1/offer/detail/?_id=575a0a3c11ae1c0f3a499539d6299cb1929c6584
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallStart
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=PageShown
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleProposedOffers
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleOffersApproved

Sends data using the HTTP POST Method (8 个事件)

request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart
request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart
request	POST https://sos.adaware.com/v1/bundle/list/?bundleId=SFT002
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallStart
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=PageShown
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleProposedOffers
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleOffersApproved

Allocates read-write-execute memory (usually to unpack itself) (50 out of 324 个事件)

Time & API	Arguments	Status
1620949127.007626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 589824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00420000	success
1620949127.007626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00470000	success
1620949127.320626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00a20000	success
1620949127.320626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00b30000	success
1620949127.414626 NtProtectVirtualMemory	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1620949127.554626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00620000	success
1620949127.554626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00630000	success
1620949127.585626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005ca000	success
1620949127.601626 NtProtectVirtualMemory	process_identifier: 2272 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1620949127.601626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005c2000	success
1620949127.976626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d2000	success
1620949128.101626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f5000	success
1620949128.117626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005fb000	success
1620949128.132626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005f7000	success
1620949128.523626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d3000	success
1620949128.617626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005dc000	success
1620949128.757626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d4000	success
1620949128.789626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d30000	success
1620949128.835626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d5000	success
1620949128.835626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d6000	success
1620949128.882626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d7000	success
1620949128.914626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d8000	success
1620949128.914626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005d9000	success
1620949128.945626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e60000	success
1620949128.945626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e61000	success
1620949128.945626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e62000	success
1620949128.945626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005dd000	success
1620949128.945626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e63000	success
1620949128.960626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e64000	success
1620949128.960626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e65000	success
1620949128.960626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e66000	success
1620949128.960626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e67000	success
1620949128.960626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e68000	success
1620949128.960626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005de000	success
1620949128.960626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e69000	success
1620949128.960626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e6a000	success
1620949128.960626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e6b000	success
1620949128.960626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e6c000	success
1620949128.960626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e6d000	success
1620949128.960626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e6e000	success
1620949128.960626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x005df000	success
1620949128.960626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e6f000	success
1620949128.960626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00eb0000	success
1620949128.960626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00eb1000	success
1620949128.992626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00eb2000	success
1620949129.054626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00eb3000	success
1620949129.320626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00eb4000	success
1620949129.382626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00eb5000	success
1620949129.382626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04840000	success
1620949129.382626 NtAllocateVirtualMemory	process_identifier: 2272 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00eb6000	success

A process attempted to delay the analysis task. (1 个事件)

description

GenericSetup.exe tried to sleep 123 seconds, actually delayed analysis time by 123 seconds

Creates executable files on the filesystem (23 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\OfferServiceSDK.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Microsoft.Win32.TaskScheduler.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\ru\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\DevLib.Services.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\GenericSetup.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\HtmlAgilityPack.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\MyDownloader.Extension.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\fr\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\sciter32.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\pt\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Carrier.EXE
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Newtonsoft.Json.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\de\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Shared.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\it\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\es\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\MyDownloader.Core.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\OfferServiceBLL.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\GenericSetup.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\en\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\installer.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\DevLib.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\H2OSciter.dll

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\GenericSetup.exe

Drops an executable to the user AppData folder (23 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\OfferServiceSDK.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\ru\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\de\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\MyDownloader.Core.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\DevLib.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\DevLib.Services.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\GenericSetup.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\fr\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\MyDownloader.Extension.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\it\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Microsoft.Win32.TaskScheduler.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\GenericSetup.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\pt\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\installer.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Newtonsoft.Json.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\en\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\sciter32.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Carrier.EXE
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Shared.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\HtmlAgilityPack.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\OfferServiceBLL.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\H2OSciter.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\es\DevLib.resources.dll

Executes one or more WMI queries (7 个事件)

wmi	SELECT * FROM Win32_VideoController
wmi	Select * from Win32_ComputerSystem
wmi	SELECT * FROM Win32_BIOS
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=True
wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_BaseBoard

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 个事件)

Time & API	Arguments	Status	Return
1620949124.335375 Process32NextW	process_name: pythonw.exe snapshot_handle: 0x000000d8 process_identifier: 1316	success	1
1620949124.335375 Process32NextW	process_name: mobsync.exe snapshot_handle: 0x000000d8 process_identifier: 2080	success	1
1620949124.335375 Process32NextW	process_name: 5986b26f278584efee1350b72626c604.exe snapshot_handle: 0x000000d8 process_identifier: 472	success	1
1620949124.335375 Process32NextW	process_name: installer.exe snapshot_handle: 0x000000d8 process_identifier: 2468	success	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620949135.195626 GetAdaptersAddresses	flags: 15 family: 0	failed	111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620949130.554626 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Expresses interest in specific running processes (1 个事件)

process

installer.exe

Queries for potentially installed applications (50 out of 62 个事件)

Time & API	Arguments	Status
1620949138.710626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x000007a8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall options: 0	success
1620949138.726626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007c8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: AddressBook options: 0	success
1620949138.726626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007c8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: Connection Manager options: 0	success
1620949138.726626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007c8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: DirectDrawEx options: 0	success
1620949138.726626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007c8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: Fontcore options: 0	success
1620949138.742626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007c8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Google Chrome options: 0	success
1620949138.757626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007c8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: IE40 options: 0	success
1620949138.757626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007c8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data regkey_r: IE4Data options: 0	success
1620949138.757626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007c8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX regkey_r: IE5BAKEX options: 0	success
1620949138.757626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007c8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData regkey_r: IEData options: 0	success
1620949138.757626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007c8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack regkey_r: MobileOptionPack options: 0	success
1620949138.773626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007c8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent regkey_r: SchedulingAgent options: 0	success
1620949138.773626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007c8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC regkey_r: WIC options: 0	success
1620949142.648626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x000009f8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall options: 0	success
1620949142.648626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f8 key_handle: 0x000009d8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: AddressBook options: 0	success
1620949142.664626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f8 key_handle: 0x000009d8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: Connection Manager options: 0	success
1620949142.679626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f8 key_handle: 0x000009d8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: DirectDrawEx options: 0	success
1620949142.679626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f8 key_handle: 0x000009d8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: Fontcore options: 0	success
1620949142.679626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f8 key_handle: 0x000009d8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Google Chrome options: 0	success
1620949142.679626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f8 key_handle: 0x000009d8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: IE40 options: 0	success
1620949142.679626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f8 key_handle: 0x000009d8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data regkey_r: IE4Data options: 0	success
1620949142.679626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f8 key_handle: 0x000009d8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX regkey_r: IE5BAKEX options: 0	success
1620949142.679626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f8 key_handle: 0x000009d8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData regkey_r: IEData options: 0	success
1620949142.679626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f8 key_handle: 0x000009d8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack regkey_r: MobileOptionPack options: 0	success
1620949142.679626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f8 key_handle: 0x000009d8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent regkey_r: SchedulingAgent options: 0	success
1620949142.695626 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f8 key_handle: 0x000009d8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC regkey_r: WIC options: 0	success
1620949148.195626 RegOpenKeyExW	access: 0x00020219 base_handle: 0x80000002 key_handle: 0x00000378 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall options: 0	success
1620949148.195626 RegOpenKeyExW	access: 0x00020219 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: AddressBook options: 0	success
1620949148.195626 RegOpenKeyExW	access: 0x00020219 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: Connection Manager options: 0	success
1620949148.210626 RegOpenKeyExW	access: 0x00020219 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: DirectDrawEx options: 0	success
1620949148.210626 RegOpenKeyExW	access: 0x00020219 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: Fontcore options: 0	success
1620949148.210626 RegOpenKeyExW	access: 0x00020219 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Google Chrome options: 0	success
1620949148.210626 RegOpenKeyExW	access: 0x00020219 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: IE40 options: 0	success
1620949148.210626 RegOpenKeyExW	access: 0x00020219 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data regkey_r: IE4Data options: 0	success
1620949148.210626 RegOpenKeyExW	access: 0x00020219 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX regkey_r: IE5BAKEX options: 0	success
1620949148.210626 RegOpenKeyExW	access: 0x00020219 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData regkey_r: IEData options: 0	success
1620949148.210626 RegOpenKeyExW	access: 0x00020219 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack regkey_r: MobileOptionPack options: 0	success
1620949148.210626 RegOpenKeyExW	access: 0x00020219 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent regkey_r: SchedulingAgent options: 0	success
1620949148.210626 RegOpenKeyExW	access: 0x00020219 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC regkey_r: WIC options: 0	success
1620949148.210626 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000378 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall options: 0	success
1620949148.226626 RegOpenKeyExW	access: 0x00020119 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: AddressBook options: 0	success
1620949148.226626 RegOpenKeyExW	access: 0x00020119 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: Connection Manager options: 0	success
1620949148.226626 RegOpenKeyExW	access: 0x00020119 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: DirectDrawEx options: 0	success
1620949148.226626 RegOpenKeyExW	access: 0x00020119 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime regkey_r: DXM_Runtime options: 0	success
1620949148.226626 RegOpenKeyExW	access: 0x00020119 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: Fontcore options: 0	success
1620949148.226626 RegOpenKeyExW	access: 0x00020119 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: IE40 options: 0	success
1620949148.226626 RegOpenKeyExW	access: 0x00020119 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data regkey_r: IE4Data options: 0	success
1620949148.226626 RegOpenKeyExW	access: 0x00020119 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX regkey_r: IE5BAKEX options: 0	success
1620949148.226626 RegOpenKeyExW	access: 0x00020119 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData regkey_r: IEData options: 0	success
1620949148.226626 RegOpenKeyExW	access: 0x00020119 base_handle: 0x00000378 key_handle: 0x000009d4 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 4 Client Profile regkey_r: Microsoft .NET Framework 4 Client Profile options: 0	success

Executes one or more WMI queries which can be used to identify virtual machines (4 个事件)

wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_BIOS
wmi	Select * from Win32_ComputerSystem
wmi	SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=True

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Attempts to identify installed AV products by registry key (2 个事件)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\AVAST Software\Browser\Update
registry	HKEY_CURRENT_USER\SOFTWARE\AVAST Software\Browser\Update

Looks for the Windows Idle Time to determine the uptime (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620949139.632626 NtQuerySystemInformation	information_class: 8 (SystemProcessorPerformanceInformation)	success	0	0

File has been identified by 12 AntiVirus engines on VirusTotal as malicious (12 个事件)

FireEye	Generic.mg.5986b26f278584ef
APEX	Malicious
Rising	PUA.WebCompanion!8.9E98 (CLOUD)
DrWeb	Adware.Downware.19662
Invincea	heuristic
Emsisoft	Application.Downloader (A)
Webroot	W32.Adware.Soft32
Microsoft	PUA:Win32/Caypnamer.A!ml
Endgame	malicious (high confidence)
Malwarebytes	PUP.Optional.BundleInstaller
ESET-NOD32	a variant of Win32/WebCompanion.B potentially unwanted
Qihoo-360	HEUR/QVM41.1.F608.Malware.Gen

Performs 88 file moves indicative of a ransomware file encryption process (50 out of 88 个事件)

Time & API	Arguments	Status	Return
1620949120.507375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\de\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\de\DevLib.resources.dll	success	1
1620949120.585375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\de newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\de	success	1
1620949120.601375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\en\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\en\DevLib.resources.dll	success	1
1620949120.679375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\en newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\en	success	1
1620949120.710375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\es\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\es\DevLib.resources.dll	success	1
1620949120.773375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\es newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\es	success	1
1620949120.789375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\fr\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\fr\DevLib.resources.dll	success	1
1620949120.835375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\fr newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\fr	success	1
1620949120.851375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\it\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\it\DevLib.resources.dll	success	1
1620949120.882375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\it newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\it	success	1
1620949120.898375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\pt\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\pt\DevLib.resources.dll	success	1
1620949120.945375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\pt newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\pt	success	1
1620949120.976375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\images\loader.gif	success	1
1620949121.039375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\images\warning48x48.png	success	1
1620949121.070375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\images newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\images	success	1
1620949121.085375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Config.tis	success	1
1620949121.164375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\EventHandler.tis	success	1
1620949121.210375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Log.tis	success	1
1620949121.289375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\TranslateOfferTemplate.tis	success	1
1620949121.335375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\ViewStateLoader.tis	success	1
1620949121.398375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis	success	1
1620949121.414375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\images\loader.gif	success	1
1620949121.445375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\images\warning48x48.png	success	1
1620949121.476375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\InstallingPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\InstallingPage.html	success	1
1620949121.539375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\LaunchCarrierPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\LaunchCarrierPage.html	success	1
1620949121.585375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\OfferPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\OfferPage.html	success	1
1620949121.664375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\ScanningPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\ScanningPage.html	success	1
1620949121.710375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\style.css newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\style.css	success	1
1620949121.757375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Config.tis	success	1
1620949121.773375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\EventHandler.tis	success	1
1620949121.804375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Log.tis	success	1
1620949121.835375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\TranslateOfferTemplate.tis	success	1
1620949121.851375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\ViewStateLoader.tis	success	1
1620949121.882375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\WelcomePage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\WelcomePage.html	success	1
1620949121.929375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources	success	1
1620949121.929375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\images\loader.gif	success	1
1620949121.960375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\images\warning48x48.png	success	1
1620949121.976375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\images newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\images	success	1
1620949121.992375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Config.tis	success	1
1620949122.007375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\EventHandler.tis	success	1
1620949122.039375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Log.tis	success	1
1620949122.054375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\TranslateOfferTemplate.tis	success	1
1620949122.085375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\ViewStateLoader.tis	success	1
1620949122.101375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis	success	1
1620949122.132375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\ru\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\ru\DevLib.resources.dll	success	1
1620949122.195375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\ru newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\ru	success	1
1620949122.210375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\2021.05.14_02.58.40.570250_installer_pid=2468.txt newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\2021.05.14_02.58.40.570250_installer_pid=2468.txt	success	1
1620949122.257375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\app.ico newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\app.ico	success	1
1620949122.320375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\BundleConfig.json newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\BundleConfig.json	success	1
1620949122.414375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Carrier.EXE newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Carrier.EXE	success	1

Appends a new file extension or content to 88 files indicative of a ransomware file encryption process (50 out of 88 个事件)

Time & API	Arguments	Status	Return
1620949120.507375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\de\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\de\DevLib.resources.dll	success	1
1620949120.585375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\de newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\de	success	1
1620949120.601375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\en\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\en\DevLib.resources.dll	success	1
1620949120.679375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\en newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\en	success	1
1620949120.710375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\es\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\es\DevLib.resources.dll	success	1
1620949120.773375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\es newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\es	success	1
1620949120.789375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\fr\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\fr\DevLib.resources.dll	success	1
1620949120.835375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\fr newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\fr	success	1
1620949120.851375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\it\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\it\DevLib.resources.dll	success	1
1620949120.882375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\it newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\it	success	1
1620949120.898375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\pt\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\pt\DevLib.resources.dll	success	1
1620949120.945375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\pt newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\pt	success	1
1620949120.976375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\images\loader.gif	success	1
1620949121.039375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\images\warning48x48.png	success	1
1620949121.070375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\images newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\images	success	1
1620949121.085375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Config.tis	success	1
1620949121.164375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\EventHandler.tis	success	1
1620949121.210375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Log.tis	success	1
1620949121.289375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\TranslateOfferTemplate.tis	success	1
1620949121.335375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\ViewStateLoader.tis	success	1
1620949121.398375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis	success	1
1620949121.414375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\images\loader.gif	success	1
1620949121.445375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\images\warning48x48.png	success	1
1620949121.476375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\InstallingPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\InstallingPage.html	success	1
1620949121.539375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\LaunchCarrierPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\LaunchCarrierPage.html	success	1
1620949121.585375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\OfferPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\OfferPage.html	success	1
1620949121.664375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\ScanningPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\ScanningPage.html	success	1
1620949121.710375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\style.css newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\style.css	success	1
1620949121.757375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Config.tis	success	1
1620949121.773375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\EventHandler.tis	success	1
1620949121.804375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Log.tis	success	1
1620949121.835375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\TranslateOfferTemplate.tis	success	1
1620949121.851375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\ViewStateLoader.tis	success	1
1620949121.882375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\WelcomePage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\WelcomePage.html	success	1
1620949121.929375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources	success	1
1620949121.929375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\images\loader.gif	success	1
1620949121.960375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\images\warning48x48.png	success	1
1620949121.976375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\images newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\images	success	1
1620949121.992375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Config.tis	success	1
1620949122.007375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\EventHandler.tis	success	1
1620949122.039375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\Log.tis	success	1
1620949122.054375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\TranslateOfferTemplate.tis	success	1
1620949122.085375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis\ViewStateLoader.tis	success	1
1620949122.101375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Resources\tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Resources\tis	success	1
1620949122.132375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\ru\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\ru\DevLib.resources.dll	success	1
1620949122.195375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\ru newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\ru	success	1
1620949122.210375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\2021.05.14_02.58.40.570250_installer_pid=2468.txt newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\2021.05.14_02.58.40.570250_installer_pid=2468.txt	success	1
1620949122.257375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\app.ico newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\app.ico	success	1
1620949122.320375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\BundleConfig.json newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\BundleConfig.json	success	1
1620949122.414375 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS8D1AE878\Carrier.EXE newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS8D1AE878\Carrier.EXE	success	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2468 resumed a thread in remote process 2272
1620949126.539375 NtResumeThread	thread_handle: 0x00000248 suspend_count: 1 process_identifier: 2272	success	0	0

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2011-04-19 02:54:06

Imports

Library OLEAUT32.dll:

• 0x41b198 VariantClear

• 0x41b19c SysAllocString

Library USER32.dll:

• 0x41b1ac SendMessageA

• 0x41b1b0 SetTimer

• 0x41b1b4 DialogBoxParamW

• 0x41b1b8 DialogBoxParamA

• 0x41b1bc SetWindowLongA

• 0x41b1c0 GetWindowLongA

• 0x41b1c4 SetWindowTextW

• 0x41b1c8 LoadIconA

• 0x41b1cc LoadStringW

• 0x41b1d0 LoadStringA

• 0x41b1d4 CharUpperW

• 0x41b1d8 CharUpperA

• 0x41b1dc DestroyWindow

• 0x41b1e0 EndDialog

• 0x41b1e4 PostMessageA

• 0x41b1e8 ShowWindow

• 0x41b1ec MessageBoxW

• 0x41b1f0 GetDlgItem

• 0x41b1f4 KillTimer

• 0x41b1f8 SetWindowTextA

Library SHELL32.dll:

• 0x41b1a4 ShellExecuteExA

Library KERNEL32.dll:

• 0x41b000 GetCurrentDirectoryA

• 0x41b004 GetStringTypeW

• 0x41b008 GetStringTypeA

• 0x41b00c LCMapStringW

• 0x41b010 LCMapStringA

• 0x41b014 InterlockedIncrement

• 0x41b018 InterlockedDecrement

• 0x41b01c GetProcAddress

• 0x41b020 GetOEMCP

• 0x41b024 GetACP

• 0x41b028 GetCPInfo

• 0x41b02c IsBadCodePtr

• 0x41b030 IsBadReadPtr

• 0x41b034 GetFileType

• 0x41b038 SetHandleCount

• 0x41b03c GetEnvironmentStringsW

• 0x41b040 GetEnvironmentStrings

• 0x41b044 FreeEnvironmentStringsW

• 0x41b048 FreeEnvironmentStringsA

• 0x41b04c UnhandledExceptionFilter

• 0x41b050 HeapSize

• 0x41b054 GetCurrentProcess

• 0x41b058 TerminateProcess

• 0x41b05c IsBadWritePtr

• 0x41b060 HeapCreate

• 0x41b064 HeapDestroy

• 0x41b068 GetEnvironmentVariableA

• 0x41b06c SetUnhandledExceptionFilter

• 0x41b070 TlsAlloc

• 0x41b074 ExitProcess

• 0x41b078 GetVersion

• 0x41b07c GetCommandLineA

• 0x41b080 GetStartupInfoA

• 0x41b084 GetModuleHandleA

• 0x41b088 WaitForSingleObject

• 0x41b08c CloseHandle

• 0x41b090 CreateProcessA

• 0x41b094 GetCommandLineW

• 0x41b098 GetVersionExA

• 0x41b09c LeaveCriticalSection

• 0x41b0a0 EnterCriticalSection

• 0x41b0a4 DeleteCriticalSection

• 0x41b0a8 MultiByteToWideChar

• 0x41b0ac WideCharToMultiByte

• 0x41b0b0 GetLastError

• 0x41b0b4 LoadLibraryA

• 0x41b0b8 GetModuleFileNameW

• 0x41b0bc GetModuleFileNameA

• 0x41b0c0 LocalFree

• 0x41b0c4 FormatMessageW

• 0x41b0c8 FormatMessageA

• 0x41b0cc SetFileTime

• 0x41b0d0 CreateFileW

• 0x41b0d4 SetLastError

• 0x41b0d8 SetFileAttributesW

• 0x41b0dc SetFileAttributesA

• 0x41b0e0 RemoveDirectoryW

• 0x41b0e4 RemoveDirectoryA

• 0x41b0e8 CreateDirectoryW

• 0x41b0ec CreateDirectoryA

• 0x41b0f0 DeleteFileW

• 0x41b0f4 DeleteFileA

• 0x41b0f8 GetFullPathNameW

• 0x41b0fc GetFullPathNameA

• 0x41b100 SetCurrentDirectoryW

• 0x41b104 SetCurrentDirectoryA

• 0x41b108 GetCurrentDirectoryW

• 0x41b10c GetTempPathW

• 0x41b110 GetTempPathA

• 0x41b114 GetCurrentProcessId

• 0x41b118 GetTickCount

• 0x41b11c GetCurrentThreadId

• 0x41b120 FindClose

• 0x41b124 FindFirstFileW

• 0x41b128 FindFirstFileA

• 0x41b12c FindNextFileW

• 0x41b130 FindNextFileA

• 0x41b134 CreateFileA

• 0x41b138 GetFileSize

• 0x41b13c SetFilePointer

• 0x41b140 ReadFile

• 0x41b144 WriteFile

• 0x41b148 SetEndOfFile

• 0x41b14c GetStdHandle

• 0x41b150 WaitForMultipleObjects

• 0x41b154 Sleep

• 0x41b158 VirtualAlloc

• 0x41b15c VirtualFree

• 0x41b160 CreateEventA

• 0x41b164 SetEvent

• 0x41b168 ResetEvent

• 0x41b16c InitializeCriticalSection

• 0x41b170 RtlUnwind

• 0x41b174 RaiseException

• 0x41b178 HeapAlloc

• 0x41b17c HeapFree

• 0x41b180 HeapReAlloc

• 0x41b184 CreateThread

• 0x41b188 TlsSetValue

• 0x41b18c TlsGetValue

• 0x41b190 ExitThread

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
sos.adaware.com	A 104.16.236.79 A 104.16.235.79	104.16.236.79
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
h2oapi.adaware.com	A 104.16.236.79 A 104.16.235.79	104.16.235.79
clients2.google.com	A 216.58.200.46 CNAME clients.l.google.com	172.217.160.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
flow.lavasoft.com	A 104.18.88.101 A 104.18.87.101	104.18.87.101
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49224	104.16.235.79 h2oapi.adaware.com	443
192.168.56.101	49227	104.16.235.79 h2oapi.adaware.com	443
192.168.56.101	49221	104.18.87.101 flow.lavasoft.com	80
192.168.56.101	49222	104.18.87.101 flow.lavasoft.com	80
192.168.56.101	49228	104.18.87.101 flow.lavasoft.com	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	53380	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	54178	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60221	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart	POST /v1/event-stat?ProductID=IS&Type=StubStart HTTP/1.1 Host: flow.lavasoft.com Accept: application/json Content-Type: application/json charsets: utf-8 Content-Length: 266 {"Data":{"BundleId":"SFT002","MachineId":"c39a9972-31e4-70f6-e9bd-35e4deef4f6f","InstallId":"2f90d508-0d99-4775-845a-dc56413b6699","OsVersion":"Microsoft Windows 7 Ultimate Edition Service Pack 1 (build 7601), 64-bit","DotNetFramework":"3.5, 4.0 Client, 4.0 Full"}}
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart	POST /v1/event-stat?ProductID=IS&Type=StubBundleStart HTTP/1.1 Host: flow.lavasoft.com Accept: application/json Content-Type: application/json charsets: utf-8 Content-Length: 152 {"Data":{"BundleId":"SFT002","MachineId":"c39a9972-31e4-70f6-e9bd-35e4deef4f6f","InstallId":"2f90d508-0d99-4775-845a-dc56413b6699","InProcess":"true"}}

URI

Data

http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart

POST /v1/event-stat?ProductID=IS&Type=StubStart HTTP/1.1
Host: flow.lavasoft.com
Accept: application/json
Content-Type: application/json
charsets: utf-8
Content-Length: 266

{"Data":{"BundleId":"SFT002","MachineId":"c39a9972-31e4-70f6-e9bd-35e4deef4f6f","InstallId":"2f90d508-0d99-4775-845a-dc56413b6699","OsVersion":"Microsoft Windows 7 Ultimate Edition Service Pack 1 (build 7601), 64-bit","DotNetFramework":"3.5, 4.0 Client, 4.0 Full"}}

http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart

POST /v1/event-stat?ProductID=IS&Type=StubBundleStart HTTP/1.1
Host: flow.lavasoft.com
Accept: application/json
Content-Type: application/json
charsets: utf-8
Content-Length: 152

{"Data":{"BundleId":"SFT002","MachineId":"c39a9972-31e4-70f6-e9bd-35e4deef4f6f","InstallId":"2f90d508-0d99-4775-845a-dc56413b6699","InProcess":"true"}}

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.