11.0
0-day
34 个模型检测该样本为恶意!
重新分析
更多

6771d8d0431034fdd65f892475bfb38597457ccb65a7b2d46dd37579e22ebd4d

5bfda10184fb2ea0246db7f121bb9b22.exe

分析耗时

97s

最近分析

文件大小

229.0KB
静态报毒 动态报毒 ARKO BABH BHGM BUBLIK GENETIC KELIHOS KRYPTIK LUDER PTO7YS0 SHEUR4 SPNR TEPFER VIKNOK ZBOT ZEUS 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee RDN/Generic.bfr!dg 20130830 5.600.0.1067
Avast Win32:Viknok-I [Trj] 20130830 8.0.1489.320
Kingsoft 20130829 2013.4.9.267
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619513306.560531
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Command line console output was observed (45 个事件)
Time & API Arguments Status Return Repeated
1619528404.560124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528404.638124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528404.716124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528404.747124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528404.778124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528404.794124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528404.888124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528404.903124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528404.950124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528404.950124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528405.044124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528405.044124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528405.169124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528405.169124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528405.263124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528405.263124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528405.435124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528405.435124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528405.591124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528405.591124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528405.669124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528405.731124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528405.935124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528405.950124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528406.091124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528406.091124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528406.138124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528406.153124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528406.185124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528406.185124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528406.231124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528406.247124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528406.419124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528406.419124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528406.685124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528406.685124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528406.888124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528406.903124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528407.122124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528407.138124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528407.419124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528407.435124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528407.606124
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
console_handle: 0x00000007
success 1 0
1619528407.606124
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619528407.841124
WriteConsoleW
buffer: 找不到批处理文件。
console_handle: 0x0000000b
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (2 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DigitalProductId
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallDate
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619513306.529531
GlobalMemoryStatusEx
success 1 0
One or more processes crashed (6 个事件)
Time & API Arguments Status Return Repeated
1619528476.638249
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x37c GetServiceKeyNameA-0x9d7 advapi32+0x611bd @ 0x765a11bd
RegSetKeyValueA+0x250 RegLoadAppKeyW-0x13c advapi32+0x5fadb @ 0x7659fadb
GetProfileStringW+0x1072d EnumResourceNamesW-0x35488 kernel32+0x4dcd9 @ 0x7638dcd9
baseConfigSource+0x15fac _install-0x1121 @ 0x5b9c24
SHQueryInfoKeyW+0x23 SHEnumValueW-0x9 shlwapi+0xcaf4 @ 0x776bcaf4
CoInternetCreateZoneManager+0x1d27 IEDllLoader-0x4501 urlmon+0x10404 @ 0x77720404
CoInternetCreateZoneManager+0x1d8c IEDllLoader-0x449c urlmon+0x10469 @ 0x77720469
CoInternetCreateZoneManager+0x27b7 IEDllLoader-0x3a71 urlmon+0x10e94 @ 0x77720e94
CoInternetCreateZoneManager+0x2a90 IEDllLoader-0x3798 urlmon+0x1116d @ 0x7772116d
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
InternetQueryDataAvailable+0x1ac6 InternetOpenW-0x1874 wininet+0x27923 @ 0x76267923
InternetInitializeAutoProxyDll+0x30d2 InternetConnectW-0x1d3e wininet+0x22bee @ 0x76262bee
InternetInitializeAutoProxyDll+0x2372 InternetConnectW-0x2a9e wininet+0x21e8e @ 0x76261e8e
InternetInitializeAutoProxyDll+0x408 InternetConnectW-0x4a08 wininet+0x1ff24 @ 0x7625ff24
InternetQueryOptionW+0x11f0 HttpQueryInfoA-0x1277 wininet+0x190c7 @ 0x762590c7
InternetQueryOptionW+0x18aa HttpQueryInfoA-0xbbd wininet+0x19781 @ 0x76259781
DeleteUrlCacheEntry+0x96e SetUrlCacheEntryInfoA-0x65d wininet+0x46356 @ 0x76286356
InternetOpenUrlA+0x7e1 InternetCombineUrlW-0x16b3 wininet+0x438d2 @ 0x762838d2
HttpSendRequestA+0x36 InternetSetPerSiteCookieDecisionA-0x7cf wininet+0x9192e @ 0x762d192e
New_wininet_HttpSendRequestA@20+0x137 New_wininet_HttpSendRequestW@20-0x7f @ 0x75349303
baseConfigSource+0x1003b _install-0x7092 @ 0x5b3cb3
baseConfigSource+0x10349 _install-0x6d84 @ 0x5b3fc1
baseConfigSource+0xd70d _install-0x99c0 @ 0x5b1385
baseConfigSource+0xe86f _install-0x885e @ 0x5b24e7
baseConfigSource+0x13759 _install-0x3974 @ 0x5b73d1
_threadEntry+0x107 @ 0x5bdcfb
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 33742892
registers.edi: 1985477926
registers.eax: 1596839222
registers.ebp: 33742932
registers.edx: 0
registers.ebx: 33744032
registers.esi: 1
registers.ecx: 1596839222
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
1619528476.638249
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x4d4 GetServiceKeyNameA-0x87f advapi32+0x61315 @ 0x765a1315
GetProfileStringW+0xfdda EnumResourceNamesW-0x35ddb kernel32+0x4d386 @ 0x7638d386
baseConfigSource+0x15ca9 _install-0x1424 @ 0x5b9921
SHEnumValueW+0x22 PathMakePrettyW-0x104 shlwapi+0xcb1f @ 0x776bcb1f
CoInternetCreateZoneManager+0x91b IEDllLoader-0x590d urlmon+0xeff8 @ 0x7771eff8
CoInternetCreateZoneManager+0x1fa8 IEDllLoader-0x4280 urlmon+0x10685 @ 0x77720685
CoInternetCreateZoneManager+0x2b69 IEDllLoader-0x36bf urlmon+0x11246 @ 0x77721246
CoInternetCreateZoneManager+0x2ad8 IEDllLoader-0x3750 urlmon+0x111b5 @ 0x777211b5
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
InternetQueryDataAvailable+0x1ac6 InternetOpenW-0x1874 wininet+0x27923 @ 0x76267923
InternetInitializeAutoProxyDll+0x30d2 InternetConnectW-0x1d3e wininet+0x22bee @ 0x76262bee
InternetInitializeAutoProxyDll+0x2372 InternetConnectW-0x2a9e wininet+0x21e8e @ 0x76261e8e
InternetInitializeAutoProxyDll+0x408 InternetConnectW-0x4a08 wininet+0x1ff24 @ 0x7625ff24
InternetQueryOptionW+0x11f0 HttpQueryInfoA-0x1277 wininet+0x190c7 @ 0x762590c7
InternetQueryOptionW+0x18aa HttpQueryInfoA-0xbbd wininet+0x19781 @ 0x76259781
DeleteUrlCacheEntry+0x96e SetUrlCacheEntryInfoA-0x65d wininet+0x46356 @ 0x76286356
InternetOpenUrlA+0x7e1 InternetCombineUrlW-0x16b3 wininet+0x438d2 @ 0x762838d2
HttpSendRequestA+0x36 InternetSetPerSiteCookieDecisionA-0x7cf wininet+0x9192e @ 0x762d192e
New_wininet_HttpSendRequestA@20+0x137 New_wininet_HttpSendRequestW@20-0x7f @ 0x75349303
baseConfigSource+0x1003b _install-0x7092 @ 0x5b3cb3
baseConfigSource+0x10349 _install-0x6d84 @ 0x5b3fc1
baseConfigSource+0xd70d _install-0x99c0 @ 0x5b1385
baseConfigSource+0xe86f _install-0x885e @ 0x5b24e7
baseConfigSource+0x13759 _install-0x3974 @ 0x5b73d1
_threadEntry+0x107 @ 0x5bdcfb
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 33743496
registers.edi: 1985478544
registers.eax: 1596839222
registers.ebp: 33743536
registers.edx: 0
registers.ebx: 33744636
registers.esi: 1
registers.ecx: 1596839222
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
1619528476.638249
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x2a5 GetServiceKeyNameA-0xaae advapi32+0x610e6 @ 0x765a10e6
RegSetKeyValueA+0x1b8 RegLoadAppKeyW-0x1d4 advapi32+0x5fa43 @ 0x7659fa43
GetProfileStringW+0xff0b EnumResourceNamesW-0x35caa kernel32+0x4d4b7 @ 0x7638d4b7
baseConfigSource+0x15ca9 _install-0x1424 @ 0x5b9921
SHEnumValueW+0x22 PathMakePrettyW-0x104 shlwapi+0xcb1f @ 0x776bcb1f
CoInternetCreateZoneManager+0x91b IEDllLoader-0x590d urlmon+0xeff8 @ 0x7771eff8
CoInternetCreateZoneManager+0x1fa8 IEDllLoader-0x4280 urlmon+0x10685 @ 0x77720685
CoInternetCreateZoneManager+0x2b69 IEDllLoader-0x36bf urlmon+0x11246 @ 0x77721246
CoInternetCreateZoneManager+0x2ad8 IEDllLoader-0x3750 urlmon+0x111b5 @ 0x777211b5
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
InternetQueryDataAvailable+0x1ac6 InternetOpenW-0x1874 wininet+0x27923 @ 0x76267923
InternetInitializeAutoProxyDll+0x30d2 InternetConnectW-0x1d3e wininet+0x22bee @ 0x76262bee
InternetInitializeAutoProxyDll+0x2372 InternetConnectW-0x2a9e wininet+0x21e8e @ 0x76261e8e
InternetInitializeAutoProxyDll+0x408 InternetConnectW-0x4a08 wininet+0x1ff24 @ 0x7625ff24
InternetQueryOptionW+0x11f0 HttpQueryInfoA-0x1277 wininet+0x190c7 @ 0x762590c7
InternetQueryOptionW+0x18aa HttpQueryInfoA-0xbbd wininet+0x19781 @ 0x76259781
DeleteUrlCacheEntry+0x96e SetUrlCacheEntryInfoA-0x65d wininet+0x46356 @ 0x76286356
InternetOpenUrlA+0x7e1 InternetCombineUrlW-0x16b3 wininet+0x438d2 @ 0x762838d2
HttpSendRequestA+0x36 InternetSetPerSiteCookieDecisionA-0x7cf wininet+0x9192e @ 0x762d192e
New_wininet_HttpSendRequestA@20+0x137 New_wininet_HttpSendRequestW@20-0x7f @ 0x75349303
baseConfigSource+0x1003b _install-0x7092 @ 0x5b3cb3
baseConfigSource+0x10349 _install-0x6d84 @ 0x5b3fc1
baseConfigSource+0xd70d _install-0x99c0 @ 0x5b1385
baseConfigSource+0xe86f _install-0x885e @ 0x5b24e7
baseConfigSource+0x13759 _install-0x3974 @ 0x5b73d1
_threadEntry+0x107 @ 0x5bdcfb
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 33743420
registers.edi: 1985477542
registers.eax: 1596839222
registers.ebp: 33743460
registers.edx: 0
registers.ebx: 33744560
registers.esi: 1
registers.ecx: 1596839222
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
1619528476.638249
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x4d4 GetServiceKeyNameA-0x87f advapi32+0x61315 @ 0x765a1315
GetProfileStringW+0xfdda EnumResourceNamesW-0x35ddb kernel32+0x4d386 @ 0x7638d386
baseConfigSource+0x15ca9 _install-0x1424 @ 0x5b9921
SHEnumValueW+0x22 PathMakePrettyW-0x104 shlwapi+0xcb1f @ 0x776bcb1f
CoInternetCreateZoneManager+0x91b IEDllLoader-0x590d urlmon+0xeff8 @ 0x7771eff8
CoInternetCreateZoneManager+0x1fa8 IEDllLoader-0x4280 urlmon+0x10685 @ 0x77720685
CoInternetCreateZoneManager+0x2b69 IEDllLoader-0x36bf urlmon+0x11246 @ 0x77721246
CoInternetCreateZoneManager+0x2ad8 IEDllLoader-0x3750 urlmon+0x111b5 @ 0x777211b5
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
InternetQueryDataAvailable+0x1ac6 InternetOpenW-0x1874 wininet+0x27923 @ 0x76267923
InternetInitializeAutoProxyDll+0x30d2 InternetConnectW-0x1d3e wininet+0x22bee @ 0x76262bee
InternetInitializeAutoProxyDll+0x2372 InternetConnectW-0x2a9e wininet+0x21e8e @ 0x76261e8e
InternetInitializeAutoProxyDll+0x408 InternetConnectW-0x4a08 wininet+0x1ff24 @ 0x7625ff24
InternetQueryOptionW+0x11f0 HttpQueryInfoA-0x1277 wininet+0x190c7 @ 0x762590c7
InternetQueryOptionW+0x18aa HttpQueryInfoA-0xbbd wininet+0x19781 @ 0x76259781
DeleteUrlCacheEntry+0x96e SetUrlCacheEntryInfoA-0x65d wininet+0x46356 @ 0x76286356
InternetOpenUrlA+0x7e1 InternetCombineUrlW-0x16b3 wininet+0x438d2 @ 0x762838d2
HttpSendRequestA+0x36 InternetSetPerSiteCookieDecisionA-0x7cf wininet+0x9192e @ 0x762d192e
New_wininet_HttpSendRequestA@20+0x137 New_wininet_HttpSendRequestW@20-0x7f @ 0x75349303
baseConfigSource+0x1003b _install-0x7092 @ 0x5b3cb3
baseConfigSource+0x10349 _install-0x6d84 @ 0x5b3fc1
baseConfigSource+0xd70d _install-0x99c0 @ 0x5b1385
baseConfigSource+0xe86f _install-0x885e @ 0x5b24e7
baseConfigSource+0x13759 _install-0x3974 @ 0x5b73d1
_threadEntry+0x107 @ 0x5bdcfb
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 33743496
registers.edi: 1985478544
registers.eax: 1596839222
registers.ebp: 33743536
registers.edx: 0
registers.ebx: 33744636
registers.esi: 1
registers.ecx: 1596839222
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
1619528476.638249
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x2a5 GetServiceKeyNameA-0xaae advapi32+0x610e6 @ 0x765a10e6
RegSetKeyValueA+0x1b8 RegLoadAppKeyW-0x1d4 advapi32+0x5fa43 @ 0x7659fa43
GetProfileStringW+0xff0b EnumResourceNamesW-0x35caa kernel32+0x4d4b7 @ 0x7638d4b7
baseConfigSource+0x15ca9 _install-0x1424 @ 0x5b9921
SHEnumValueW+0x22 PathMakePrettyW-0x104 shlwapi+0xcb1f @ 0x776bcb1f
CoInternetCreateZoneManager+0x91b IEDllLoader-0x590d urlmon+0xeff8 @ 0x7771eff8
CoInternetCreateZoneManager+0x1fa8 IEDllLoader-0x4280 urlmon+0x10685 @ 0x77720685
CoInternetCreateZoneManager+0x2b69 IEDllLoader-0x36bf urlmon+0x11246 @ 0x77721246
CoInternetCreateZoneManager+0x2ad8 IEDllLoader-0x3750 urlmon+0x111b5 @ 0x777211b5
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
InternetQueryDataAvailable+0x1ac6 InternetOpenW-0x1874 wininet+0x27923 @ 0x76267923
InternetInitializeAutoProxyDll+0x30d2 InternetConnectW-0x1d3e wininet+0x22bee @ 0x76262bee
InternetInitializeAutoProxyDll+0x2372 InternetConnectW-0x2a9e wininet+0x21e8e @ 0x76261e8e
InternetInitializeAutoProxyDll+0x408 InternetConnectW-0x4a08 wininet+0x1ff24 @ 0x7625ff24
InternetQueryOptionW+0x11f0 HttpQueryInfoA-0x1277 wininet+0x190c7 @ 0x762590c7
InternetQueryOptionW+0x18aa HttpQueryInfoA-0xbbd wininet+0x19781 @ 0x76259781
DeleteUrlCacheEntry+0x96e SetUrlCacheEntryInfoA-0x65d wininet+0x46356 @ 0x76286356
InternetOpenUrlA+0x7e1 InternetCombineUrlW-0x16b3 wininet+0x438d2 @ 0x762838d2
HttpSendRequestA+0x36 InternetSetPerSiteCookieDecisionA-0x7cf wininet+0x9192e @ 0x762d192e
New_wininet_HttpSendRequestA@20+0x137 New_wininet_HttpSendRequestW@20-0x7f @ 0x75349303
baseConfigSource+0x1003b _install-0x7092 @ 0x5b3cb3
baseConfigSource+0x10349 _install-0x6d84 @ 0x5b3fc1
baseConfigSource+0xd70d _install-0x99c0 @ 0x5b1385
baseConfigSource+0xe86f _install-0x885e @ 0x5b24e7
baseConfigSource+0x13759 _install-0x3974 @ 0x5b73d1
_threadEntry+0x107 @ 0x5bdcfb
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 33743420
registers.edi: 1985477542
registers.eax: 1596839222
registers.ebp: 33743460
registers.edx: 0
registers.ebx: 33744560
registers.esi: 1
registers.ecx: 1596839222
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
1619528476.638249
__exception__
stacktrace: 
NDRCContextMarshall+0x2b7 NDRCContextBinding-0x12 rpcrt4+0x183ad @ 0x75c883ad
NdrClientCall2+0x1f9 RpcAsyncInitializeHandle-0x10 rpcrt4+0xb01fe @ 0x75d201fe
RegSetValueA+0x1ce GetServiceKeyNameA-0xb85 advapi32+0x6100f @ 0x765a100f
GetProfileStringW+0xf337 EnumResourceNamesW-0x3687e kernel32+0x4c8e3 @ 0x7638c8e3
baseConfigSource+0x15b19 _install-0x15b4 @ 0x5b9791
GetPortFromUrlScheme+0x53fe DllGetClassObject-0x1f2 urlmon+0xbc8c @ 0x7771bc8c
CoInternetCreateZoneManager+0x2131 IEDllLoader-0x40f7 urlmon+0x1080e @ 0x7772080e
CoInternetCreateZoneManager+0x22b0 IEDllLoader-0x3f78 urlmon+0x1098d @ 0x7772098d
DllGetClassObject+0x80b CoInternetGetSecurityUrlEx-0x7c4 urlmon+0xc689 @ 0x7771c689
CoInternetCreateSecurityManager+0x14 RevokeBindStatusCallback-0x36b urlmon+0x1f115 @ 0x7772f115
InternetQueryDataAvailable+0x1ac6 InternetOpenW-0x1874 wininet+0x27923 @ 0x76267923
InternetInitializeAutoProxyDll+0x30d2 InternetConnectW-0x1d3e wininet+0x22bee @ 0x76262bee
InternetInitializeAutoProxyDll+0x2372 InternetConnectW-0x2a9e wininet+0x21e8e @ 0x76261e8e
InternetInitializeAutoProxyDll+0x408 InternetConnectW-0x4a08 wininet+0x1ff24 @ 0x7625ff24
InternetQueryOptionW+0x11f0 HttpQueryInfoA-0x1277 wininet+0x190c7 @ 0x762590c7
InternetQueryOptionW+0x18aa HttpQueryInfoA-0xbbd wininet+0x19781 @ 0x76259781
DeleteUrlCacheEntry+0x96e SetUrlCacheEntryInfoA-0x65d wininet+0x46356 @ 0x76286356
InternetOpenUrlA+0x7e1 InternetCombineUrlW-0x16b3 wininet+0x438d2 @ 0x762838d2
HttpSendRequestA+0x36 InternetSetPerSiteCookieDecisionA-0x7cf wininet+0x9192e @ 0x762d192e
New_wininet_HttpSendRequestA@20+0x137 New_wininet_HttpSendRequestW@20-0x7f @ 0x75349303
baseConfigSource+0x1003b _install-0x7092 @ 0x5b3cb3
baseConfigSource+0x10349 _install-0x6d84 @ 0x5b3fc1
baseConfigSource+0xd70d _install-0x99c0 @ 0x5b1385
baseConfigSource+0xe86f _install-0x885e @ 0x5b24e7
baseConfigSource+0x13759 _install-0x3974 @ 0x5b73d1
_threadEntry+0x107 @ 0x5bdcfb
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 33743808
registers.edi: 1985477242
registers.eax: 1596839222
registers.ebp: 33743848
registers.edx: 0
registers.ebx: 33744948
registers.esi: 1
registers.ecx: 1596839222
exception.instruction_r: 81 78 04 98 ba dc fe 0f 85 50 da 03 00 c7 45 fc
exception.symbol: NDRCContextBinding+0x13 NdrCorrelationInitialize-0x3a0 rpcrt4+0x183d2
exception.instruction: cmp dword ptr [eax + 4], 0xfedcba98
exception.module: RPCRT4.dll
exception.exception_code: 0xc0000005
exception.offset: 99282
exception.address: 0x75c883d2
success 0 0
行为判定
动态指标
Allocates read-write-execute memory (usually to unpack itself) (50 out of 111 个事件)
Time & API Arguments Status Return Repeated
1619513304.842531
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00350000
success 0 0
1619513304.842531
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00380000
success 0 0
1619513304.857531
NtProtectVirtualMemory
process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 188416
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619513304.904531
NtAllocateVirtualMemory
process_identifier: 2196
region_size: 159744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d0000
success 0 0
1619528474.263124
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00000000040d0000
success 0 0
1619528403.700249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003d0000
success 0 0
1619528403.700249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 176128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00440000
success 0 0
1619528403.716249
NtProtectVirtualMemory
process_identifier: 1632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 188416
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619528403.747249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 159744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a0000
success 0 0
1619528403.810249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02640000
success 0 0
1619528403.810249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02650000
success 0 0
1619528403.810249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02660000
success 0 0
1619528403.825249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020c0000
success 0 0
1619528403.825249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020d0000
success 0 0
1619528403.825249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020e0000
success 0 0
1619528403.825249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02740000
success 0 0
1619528403.841249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02750000
success 0 0
1619528403.841249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02760000
success 0 0
1619528403.841249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02770000
success 0 0
1619528403.856249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02780000
success 0 0
1619528403.856249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02790000
success 0 0
1619528403.856249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027a0000
success 0 0
1619528403.872249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027b0000
success 0 0
1619528403.888249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027c0000
success 0 0
1619528403.888249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027d0000
success 0 0
1619528403.903249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027e0000
success 0 0
1619528403.903249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027f0000
success 0 0
1619528403.903249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02800000
success 0 0
1619528403.903249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02810000
success 0 0
1619528403.919249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02820000
success 0 0
1619528403.919249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02830000
success 0 0
1619528403.935249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02710000
success 0 0
1619528403.935249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02720000
success 0 0
1619528403.935249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02730000
success 0 0
1619528403.935249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02840000
success 0 0
1619528403.950249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02850000
success 0 0
1619528403.950249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02860000
success 0 0
1619528403.950249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02870000
success 0 0
1619528403.950249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02880000
success 0 0
1619528403.950249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02890000
success 0 0
1619528403.950249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028a0000
success 0 0
1619528403.966249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028b0000
success 0 0
1619528403.966249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028c0000
success 0 0
1619528403.966249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028d0000
success 0 0
1619528403.966249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028e0000
success 0 0
1619528403.966249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028f0000
success 0 0
1619528403.966249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02900000
success 0 0
1619528403.981249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02910000
success 0 0
1619528403.981249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02670000
success 0 0
1619528403.981249
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02680000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3f31c706.bat
Creates a service (1 个事件)
Time & API Arguments Status Return Repeated
1619513308.685531
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x00875688
display_name: Security Center Server - 1637219513
error_control: 1
service_name: SecurityCenterServer1637219513
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe"
filepath_r: "C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe"
service_manager_handle: 0x00875840
desired_access: 983551
service_type: 16
password:
success 8869512 0
Creates a suspicious process (1 个事件)
cmdline "C:\Windows\system32\cmd.exe" /c "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\tmp3f31c706.bat"
Drops an executable to the user AppData folder (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5bfda10184fb2ea0246db7f121bb9b22.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619528411.419501
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (4 个事件)
entropy 7.848468831528273 section {'size_of_data': '0x00027800', 'virtual_address': '0x00001000', 'entropy': 7.848468831528273, 'name': '.text', 'virtual_size': '0x000277ca'} description A section with a high entropy has been found
entropy 7.8066982423151705 section {'size_of_data': '0x00003600', 'virtual_address': '0x0002f000', 'entropy': 7.8066982423151705, 'name': '.data', 'virtual_size': '0x000035fc'} description A section with a high entropy has been found
entropy 7.6962488364708035 section {'size_of_data': '0x00005e00', 'virtual_address': '0x00034000', 'entropy': 7.6962488364708035, 'name': '.rdata', 'virtual_size': '0x00005c30'} description A section with a high entropy has been found
entropy 0.8590308370044053 description Overall entropy of this PE file is high
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619528476.513249
InternetOpenA
proxy_bypass:
access_type: 1
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
Terminates another process (4 个事件)
Time & API Arguments Status Return Repeated
1619528476.466249
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3084
process_handle: 0x0000022c
failed 0 0
1619528476.466249
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3084
process_handle: 0x0000022c
failed 3221225738 0
1619528436.966501
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3220
process_handle: 0x0000055c
failed 0 0
1619528436.966501
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3220
process_handle: 0x0000055c
success 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Installs itself for autorun at Windows startup (50 out of 1092 个事件)
service_name SecurityCenterServer1637219513 service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe"
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bahireqabygy reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Tyxyzio\ogump.exe
Disables proxy possibly for traffic interception (1 个事件)
Time & API Arguments Status Return Repeated
1619528411.028501
RegSetValueExA
key_handle: 0x0000038c
value: 0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
success 0 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619528413.981501
RegSetValueExA
key_handle: 0x000004b0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619528413.981501
RegSetValueExA
key_handle: 0x000004b0
value: ЬÔø2;×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619528413.981501
RegSetValueExA
key_handle: 0x000004b0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619528413.981501
RegSetValueExW
key_handle: 0x000004b0
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619528413.997501
RegSetValueExA
key_handle: 0x000004c0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619528413.997501
RegSetValueExA
key_handle: 0x000004c0
value: ЬÔø2;×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619528413.997501
RegSetValueExA
key_handle: 0x000004c0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619528414.028501
RegSetValueExW
key_handle: 0x000004ac
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1632 resumed a thread in remote process 3084
Time & API Arguments Status Return Repeated
1619528404.638249
NtResumeThread
thread_handle: 0x00000228
suspend_count: 1
process_identifier: 3084
success 0 0
Creates and runs a batch file to remove the original binary (1 个事件)
file 19acb63710d3ff97_tmp3f31c706.bat
Zeus P2P (Banking Trojan) (16 个事件)
mutex Global\{6B55FE01-B473-7129-9490-0813FB225B00}
mutex Global\{9B0C086F-421D-8170-9490-0813FB225B00}
mutex Local\{FAEABE78-F40A-E096-9490-0813FB225B00}
mutex Global\{1BF9CF22-8550-0185-A6F8-B893C94AEB80}
mutex Local\{D14CDB4A-9138-CB30-9490-0813FB225B00}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 10985, 'time': 6.785250902175903, 'dport': 5355, 'sport': 49235}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 11313, 'time': 92.5570068359375, 'dport': 5355, 'sport': 50002}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 11633, 'time': 20.168592929840088, 'dport': 5355, 'sport': 51378}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 11953, 'time': 6.73077392578125, 'dport': 5355, 'sport': 51963}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 12289, 'time': 4.154297828674316, 'dport': 5355, 'sport': 56804}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 12625, 'time': 4.5360589027404785, 'dport': 5355, 'sport': 62191}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 12953, 'time': 4.305312871932983, 'dport': 1900, 'sport': 1900}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 32363, 'time': 9.249045848846436, 'dport': 3702, 'sport': 51809}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 35219, 'time': 5.358961820602417, 'dport': 3702, 'sport': 56540}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 37947, 'time': 6.736336946487427, 'dport': 1900, 'sport': 56807}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 42077, 'time': 4.2476677894592285, 'dport': 3702, 'sport': 58707}
Generates some ICMP traffic
File has been identified by 34 AntiVirus engines on VirusTotal as malicious (34 个事件)
nProtect Trojan/W32.Bublik.234517
McAfee RDN/Generic.bfr!dg
Malwarebytes Trojan.Agent.VOS
K7AntiVirus Trojan
K7GW Trojan
TheHacker Trojan/Spy.Zbot.aba
Symantec Trojan.Zbot
Norman Kelihos.DA
TrendMicro-HouseCall TROJ_SPNR.1AE313
Avast Win32:Viknok-I [Trj]
Kaspersky Trojan.Win32.Bublik.arko
BitDefender Trojan.Generic.9018224
Agnitum Trojan.Bublik!D3n/pTO7Ys0
SUPERAntiSpyware Trojan.Agent/Gen-Bublik
Sophos Troj/Zbot-EWG
Comodo TrojWare.Win32.Kryptik.BABH
F-Secure Trojan.Generic.9018224
DrWeb Trojan.Packed.2952
VIPRE Trojan.Win32.Kryptik.m (v)
AntiVir TR/Bublik.arko
TrendMicro TROJ_SPNR.1AE313
McAfee-GW-Edition RDN/Generic.bfr!dg
Emsisoft Trojan.Generic.9018224 (B)
Antiy-AVL Trojan/Win32.Bublik.gen
Microsoft PWS:Win32/Zbot.gen!AP
AhnLab-V3 Trojan/Win32.Tepfer
GData Trojan.Generic.9018224
VBA32 Trojan.Bublik
PCTools Trojan.Zbot
ESET-NOD32 Win32/Spy.Zbot.ABA
Ikarus Worm.Win32.Luder
Fortinet W32/Tepfer.MQ!tr
AVG SHeur4.BHGM
Panda Trj/Genetic.gen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2010-04-03 17:03:59

Imports

Library KERNEL32.dll:
0x42e008 OutputDebugStringA
0x42e00c RaiseException
0x42e010 GetLastError
0x42e018 HeapCreate
0x42e01c InterlockedExchange
0x42e020 FindResourceW
0x42e024 HeapFree
0x42e028 LockResource
0x42e02c GetTickCount
0x42e030 SetThreadLocale
0x42e038 LoadLibraryA
0x42e040 FreeLibrary
0x42e044 GetVersionExA
0x42e048 LoadResource
0x42e04c GetCPInfo
0x42e050 GetModuleFileNameW
0x42e058 GetVersionExW
0x42e05c HeapAlloc
0x42e064 GetProcAddress
0x42e06c IsDebuggerPresent
0x42e070 GetThreadLocale
0x42e074 LoadLibraryExA
0x42e078 GetModuleHandleExW
0x42e07c DebugBreak
0x42e080 SizeofResource
0x42e08c MultiByteToWideChar
0x42e094 GetCurrentProcessId
0x42e098 GlobalAlloc
0x42e09c GetSystemInfo
0x42e0a0 lstrcmpiW
0x42e0a4 LoadLibraryExW
0x42e0ac HeapSize
0x42e0b0 SetLastError
0x42e0bc lstrlenW
0x42e0c0 HeapDestroy
0x42e0c4 GetCurrentProcess
Library MSVCRT.dll:
0x42e0cc memset
0x42e0d0 exit
0x42e0dc __dllonexit
0x42e0e0 realloc
0x42e0e4 _initterm
0x42e0e8 free
0x42e0ec __set_app_type
0x42e0f0 __RTtypeid
0x42e0f4 memcpy
0x42e0f8 _amsg_exit
0x42e0fc towlower
0x42e100 _onexit
0x42e104 _lock
0x42e10c _errno
0x42e110 _unlock
0x42e114 _CxxThrowException
0x42e118 _vsnwprintf
0x42e120 malloc
0x42e124 memmove
0x42e128 wcsncmp
0x42e12c _XcptFilter
0x42e134 __p__commode
0x42e140 __getmainargs
0x42e144 wcsrchr
Library RPCRT4.dll:
0x42e160 NdrDllCanUnloadNow
0x42e164 NdrOleAllocate
0x42e170 NdrOleFree
0x42e18c NdrDllRegisterProxy
Library OLE32.dll:
0x42e198 CoTaskMemRealloc
0x42e19c StringFromGUID2
0x42e1a0 HWND_UserUnmarshal
0x42e1a4 CoCreateInstance
0x42e1a8 CoTaskMemAlloc
0x42e1ac CoTaskMemFree
0x42e1b0 HWND_UserMarshal
0x42e1b4 HWND_UserSize
0x42e1b8 CLSIDFromString
0x42e1bc HWND_UserFree
Library NTDLL.dll:
0x42e1cc DbgPrint

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 51809 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.