SmartHawk

8.6

极危

54 个模型检测该样本为恶意！

重新分析

下载样本

658b6d4e6818841a04b492f151d118adb2c8888edbebd98ebc6247566b35af6c

5f34088c4b9340fd1c46d67e3bc9416d.exe

分析耗时

75s

最近分析

文件大小

998.1KB

静态报毒动态报毒 AGRK AI SCORE=85 APPLICUNWNT@#28ZITP6GCTPF7 ARTEMIS ATTRIBUTE BSCOPE CONFIDENCE CROSSRIDER CROSSRIDER1 DSMCFV EI5IR64NKMQ ELDORADO GEN7 GENERIC PUA AD GRAYWARE HIGH CONFIDENCE HIGHCONFIDENCE NSIS OUTBROWSE PLAYTECH R336816 SCORE STATIC AI SUSPICIOUS PE SXOM UFZNOM1R4NC UNSAFE VMDETECTOR WQ4@ASI0EWP YMACCO ZEDLAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	AdWare:Win32/CrossRider.04d7b747	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_80% (D)	20190702	1.0
Avast		20201210	21.1.5827.0
Baidu		20190318	1.0.0.2
McAfee	Artemis!5F34088C4B93	20201211	6.0.6.653
Tencent	Win32.Adware.Crossrider.Sxom	20201211	1.0.0.1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (2 个事件)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallDate

Tries to locate where the browsers are installed (5 个事件)

file	C:\Program Files\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619513305.956081 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.ndata

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619535653.106249 __exception__	stacktrace: detectVm+0x20 disableProxyIE-0x2b installerutils+0x7457 @ 0x74837457 au_+0x2899 @ 0x402899 au_+0x3815 @ 0x403815 au_+0x170f @ 0x40170f au_+0x3815 @ 0x403815 au_+0x170f @ 0x40170f au_+0x3815 @ 0x403815 au_+0x38bd @ 0x4038bd au_+0x61ad @ 0x4061ad au_+0x4714 @ 0x404714 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2684632 registers.edi: 1954772023 registers.eax: 1447909480 registers.ebp: 2684688 registers.edx: 22104 registers.ebx: 0 registers.esi: 0 registers.ecx: 10 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: DestroyDialogProc-0x2abe installerutils+0x4250 exception.address: 0x74834250	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619535653.106249
__exception__

stacktrace:

detectVm+0x20 disableProxyIE-0x2b installerutils+0x7457 @ 0x74837457
au_+0x2899 @ 0x402899
au_+0x3815 @ 0x403815
au_+0x170f @ 0x40170f
au_+0x3815 @ 0x403815
au_+0x170f @ 0x40170f
au_+0x3815 @ 0x403815
au_+0x38bd @ 0x4038bd
au_+0x61ad @ 0x4061ad
au_+0x4714 @ 0x404714
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2684632
registers.edi: 1954772023
registers.eax: 1447909480
registers.ebp: 2684688
registers.edx: 22104
registers.ebx: 0
registers.esi: 0
registers.ecx: 10
exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45
exception.instruction: in eax, dx
exception.exception_code: 0xc0000096
exception.symbol: DestroyDialogProc-0x2abe installerutils+0x4250
exception.address: 0x74834250

success

Allocates read-write-execute memory (usually to unpack itself) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619535650.559249 NtProtectVirtualMemory	process_identifier: 2976 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x10004000	success	0	0

Steals private information from local Internet browsers (3 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Preferences
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox

Creates executable files on the filesystem (7 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl657D.tmp\nsislog.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl657D.tmp\nsisos.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl657D.tmp\StdUtils.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl657D.tmp\System.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl657D.tmp\InstallerUtils2.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl657D.tmp\InstallerUtils.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl657D.tmp\UserInfo.dll

Drops an executable to the user AppData folder (7 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl657D.tmp\nsislog.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl657D.tmp\InstallerUtils2.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl657D.tmp\UserInfo.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl657D.tmp\StdUtils.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl657D.tmp\System.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl657D.tmp\nsisos.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsl657D.tmp\InstallerUtils.dll

Tries to locate whether any sniffers are installed (2 个事件)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2

Expresses interest in specific running processes (1 个事件)

process

vboxservice.exe

Queries for potentially installed applications (50 out of 287 个事件)

Time & API	Arguments	Status	Return
1619535652.762249 RegOpenKeyExA	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	failed	2
1619535652.762249 RegOpenKeyExA	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000220 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	success	0
1619535653.090249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark options: 0	failed	2
1619535653.090249 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wireshark options: 0	failed	2
1619535653.090249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2 options: 0	failed	2
1619535653.090249 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fiddler2 options: 0	failed	2
1619535653.153249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG SafeGuard toolbar regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG SafeGuard toolbar options: 0	failed	2
1619535653.153249 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG SafeGuard toolbar regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AVG SafeGuard toolbar options: 0	failed	2
1619535653.200249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GrabRez regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GrabRez options: 0	failed	2
1619535653.200249 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GrabRez regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GrabRez options: 0	failed	2
1619535653.200249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PacFunction regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PacFunction options: 0	failed	2
1619535653.200249 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PacFunction regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PacFunction options: 0	failed	2
1619535653.215249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallConverter regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallConverter options: 0	failed	2
1619535653.215249 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallConverter regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallConverter options: 0	failed	2
1619535653.215249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1 options: 0	failed	2
1619535653.215249 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Optimizer Pro_is1 options: 0	failed	2
1619535653.215249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Optimizer Pro regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Optimizer Pro options: 0	failed	2
1619535653.215249 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Optimizer Pro regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\System Optimizer Pro options: 0	failed	2
1619535653.215249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A0B0DA25-DD15-4739-92A3-62D3424F043A}_is1 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A0B0DA25-DD15-4739-92A3-62D3424F043A}_is1 options: 0	failed	2
1619535653.215249 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A0B0DA25-DD15-4739-92A3-62D3424F043A}_is1 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A0B0DA25-DD15-4739-92A3-62D3424F043A}_is1 options: 0	failed	2
1619535653.215249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7B34B38-02A6-44D5-B8CC-06EB3B8ACFC9}_is1 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7B34B38-02A6-44D5-B8CC-06EB3B8ACFC9}_is1 options: 0	failed	2
1619535653.215249 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7B34B38-02A6-44D5-B8CC-06EB3B8ACFC9}_is1 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F7B34B38-02A6-44D5-B8CC-06EB3B8ACFC9}_is1 options: 0	failed	2
1619535653.215249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IECT2700842 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IECT2700842 options: 0	failed	2
1619535653.215249 RegOpenKeyExA	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IECT2700842 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IECT2700842 options: 0	failed	2
1619535655.200249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ options: 0	success	0
1619535655.215249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook options: 0	success	0
1619535655.215249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook options: 0	success	0
1619535655.215249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook options: 0	success	0
1619535655.215249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook options: 0	success	0
1619535655.215249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ options: 0	success	0
1619535655.215249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager options: 0	success	0
1619535655.215249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager options: 0	success	0
1619535655.215249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager options: 0	success	0
1619535655.215249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager options: 0	success	0
1619535655.215249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ options: 0	success	0
1619535655.231249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx options: 0	success	0
1619535655.231249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx options: 0	success	0
1619535655.231249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx options: 0	success	0
1619535655.231249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx options: 0	success	0
1619535655.231249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ options: 0	success	0
1619535655.231249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore options: 0	success	0
1619535655.231249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore options: 0	success	0
1619535655.246249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore options: 0	success	0
1619535655.246249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore options: 0	success	0
1619535655.246249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ options: 0	success	0
1619535655.246249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ options: 0	success	0
1619535655.246249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 options: 0	success	0
1619535655.246249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 options: 0	success	0
1619535655.246249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 options: 0	success	0
1619535655.246249 RegOpenKeyExA	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x00000284 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 options: 0	success	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Attempts to identify installed AV products by registry key (3 个事件)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\AVG SafeGuard toolbar
registry	HKEY_CURRENT_USER\Software\AVG SafeGuard toolbar
registry	HKEY_LOCAL_MACHINE\SOFTWARE\AVG Security Toolbar

Collects information about installed applications (7 个事件)

Time & API	Arguments	Status
1619535655.293249 RegQueryValueExA	key_handle: 0x00000284 value: Microsoft .NET Framework 4 Client Profile regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 4 Client Profile\DisplayName	success
1619535655.293249 RegQueryValueExA	key_handle: 0x00000284 value: Microsoft .NET Framework 4 Extended regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 4 Extended\DisplayName	success
1619535655.340249 RegQueryValueExA	key_handle: 0x00000284 value: Oracle VM VirtualBox Guest Additions 6.1.18 regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\DisplayName	success
1619535655.356249 RegQueryValueExA	key_handle: 0x00000284 value: Microsoft .NET Framework 4 Extended regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8E34682C-8118-31F1-BC4C-98CD9675E1C2}\DisplayName	success
1619535655.371249 RegQueryValueExA	key_handle: 0x00000284 value: Python 2.7.18 (64-bit) regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5F504DF-2ED9-4A2D-A2F3-9D2750DD42D6}\DisplayName	success
1619535655.387249 RegQueryValueExA	key_handle: 0x00000284 value: Microsoft Visual C++ 2010 x64 Redistributable - 10.0.30319 regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}\DisplayName	success
1619535655.403249 RegQueryValueExA	key_handle: 0x00000284 value: Microsoft .NET Framework 4 Client Profile regkey_r: DisplayName reg_type: 1 (REG_SZ) regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}\DisplayName	success

Detects VirtualBox through the presence of a registry key (5 个事件)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\Publisher
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\InstallLocation
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\DisplayName
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Oracle VM VirtualBox Guest Additions\CrPublisherId

Detects VMWare through the presence of a registry key (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.

Detects VMWare through the in instruction feature (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619535653.106249 __exception__	stacktrace: detectVm+0x20 disableProxyIE-0x2b installerutils+0x7457 @ 0x74837457 au_+0x2899 @ 0x402899 au_+0x3815 @ 0x403815 au_+0x170f @ 0x40170f au_+0x3815 @ 0x403815 au_+0x170f @ 0x40170f au_+0x3815 @ 0x403815 au_+0x38bd @ 0x4038bd au_+0x61ad @ 0x4061ad au_+0x4714 @ 0x404714 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2684632 registers.edi: 1954772023 registers.eax: 1447909480 registers.ebp: 2684688 registers.edx: 22104 registers.ebx: 0 registers.esi: 0 registers.ecx: 10 exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e7 5b 59 5a c7 45 exception.instruction: in eax, dx exception.exception_code: 0xc0000096 exception.symbol: DestroyDialogProc-0x2abe installerutils+0x4250 exception.address: 0x74834250	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619535653.106249
__exception__

stacktrace:

detectVm+0x20 disableProxyIE-0x2b installerutils+0x7457 @ 0x74837457
au_+0x2899 @ 0x402899
au_+0x3815 @ 0x403815
au_+0x170f @ 0x40170f
au_+0x3815 @ 0x403815
au_+0x170f @ 0x40170f
au_+0x3815 @ 0x403815
au_+0x38bd @ 0x4038bd
au_+0x61ad @ 0x4061ad
au_+0x4714 @ 0x404714
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

success

File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)

Elastic	malicious (high confidence)
DrWeb	Trojan.Crossrider1.29711
MicroWorld-eScan	Adware.Crossrider.FR
FireEye	Generic.mg.5f34088c4b9340fd
CAT-QuickHeal	AdWare.CrossRider.A4
Qihoo-360	Win32/Virus.Adware.798
Cylance	Unsafe
Zillya	Adware.CrossRider.Win32.34261
SUPERAntiSpyware	PUP.CrossRider/Variant
Sangfor	Malware
K7AntiVirus	Adware ( 004b8ca21 )
Alibaba	AdWare:Win32/CrossRider.04d7b747
K7GW	Adware ( 004b8ca21 )
CrowdStrike	win/malicious_confidence_80% (D)
Arcabit	Adware.Crossrider.FQ
BitDefenderTheta	Gen:NN.ZedlaF.34670.Wq4@aSI0eWp
Cyren	W32/Crossrider.N.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	Win32/Packed.VMDetector.I potentially unwanted
APEX	Malicious
ClamAV	Win.Trojan.14771715-1
Kaspersky	not-a-virus:HEUR:AdWare.Win32.CrossRider.gen
BitDefender	Adware.Crossrider.FR
NANO-Antivirus	Trojan.Win32.Crossrider1.dsmcfv
Paloalto	generic.ml
AegisLab	Adware.Win32.CrossRider.2!c
Rising	PUF.CrossRider!8.84 (TFE:5:uFznOm1R4NC)
Emsisoft	Adware.Crossrider.FR (B)
Comodo	ApplicUnwnt@#28zitp6gctpf7
F-Secure	Adware.ADWARE/CrossRider.Gen7
VIPRE	Crossrider (fs)
McAfee-GW-Edition	BehavesLike.Win32.Playtech.dc
Sophos	Generic PUA AD (PUA)
SentinelOne	Static AI - Suspicious PE
Jiangmin	AdWare/CrossRider.l
Avira	ADWARE/CrossRider.Gen7
Antiy-AVL	GrayWare[AdWare]/Win32.CrossRider.agrk
Microsoft	Program:Win32/Ymacco.AA65
ViRobot	Adware.Crossrider.1022073
ZoneAlarm	not-a-virus:HEUR:AdWare.Win32.CrossRider.gen
GData	NSIS.Adware.Crossrider.E
Cynet	Malicious (score: 100)
AhnLab-V3	PUP/Win32.CrossRider.R336816
McAfee	Artemis!5F34088C4B93
MAX	malware (ai score=85)
VBA32	BScope.Trojan.OutBrowse
Malwarebytes	PUP.Optional.CrossRider
Tencent	Win32.Adware.Crossrider.Sxom
Yandex	Riskware.VMDetector!EI5Ir64NKMQ
Ikarus	PUA.Toolbar.CrossRider

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2012-12-04 21:55:02

Imports

Library ADVAPI32.dll:

• 0x44c340 RegCloseKey

• 0x44c344 RegCreateKeyExA

• 0x44c348 RegDeleteKeyA

• 0x44c34c RegDeleteValueA

• 0x44c350 RegEnumKeyA

• 0x44c354 RegEnumValueA

• 0x44c358 RegOpenKeyExA

• 0x44c35c RegQueryValueExA

• 0x44c360 RegSetValueExA

Library COMCTL32.DLL:

• 0x44c368 ImageList_AddMasked

• 0x44c36c ImageList_Create

• 0x44c370 ImageList_Destroy

• 0x44c374 InitCommonControls

Library GDI32.dll:

• 0x44c37c CreateBrushIndirect

• 0x44c380 CreateFontIndirectA

• 0x44c384 DeleteObject

• 0x44c388 GetDeviceCaps

• 0x44c38c SelectObject

• 0x44c390 SetBkColor

• 0x44c394 SetBkMode

• 0x44c398 SetTextColor

Library KERNEL32.dll:

• 0x44c3a0 CloseHandle

• 0x44c3a4 CompareFileTime

• 0x44c3a8 CopyFileA

• 0x44c3ac CreateDirectoryA

• 0x44c3b0 CreateFileA

• 0x44c3b4 CreateProcessA

• 0x44c3b8 CreateThread

• 0x44c3bc DeleteFileA

• 0x44c3c0 ExitProcess

• 0x44c3c4 ExpandEnvironmentStringsA

• 0x44c3c8 FindClose

• 0x44c3cc FindFirstFileA

• 0x44c3d0 FindNextFileA

• 0x44c3d4 FreeLibrary

• 0x44c3d8 GetCommandLineA

• 0x44c3dc GetCurrentProcess

• 0x44c3e0 GetDiskFreeSpaceA

• 0x44c3e4 GetExitCodeProcess

• 0x44c3e8 GetFileAttributesA

• 0x44c3ec GetFileSize

• 0x44c3f0 GetFullPathNameA

• 0x44c3f4 GetLastError

• 0x44c3f8 GetModuleFileNameA

• 0x44c3fc GetModuleHandleA

• 0x44c400 GetPrivateProfileStringA

• 0x44c404 GetProcAddress

• 0x44c408 GetShortPathNameA

• 0x44c40c GetSystemDirectoryA

• 0x44c410 GetTempFileNameA

• 0x44c414 GetTempPathA

• 0x44c418 GetTickCount

• 0x44c41c GetVersion

• 0x44c420 GetWindowsDirectoryA

• 0x44c424 GlobalAlloc

• 0x44c428 GlobalFree

• 0x44c42c GlobalLock

• 0x44c430 GlobalUnlock

• 0x44c434 LoadLibraryA

• 0x44c438 LoadLibraryExA

• 0x44c43c MoveFileA

• 0x44c440 MulDiv

• 0x44c444 MultiByteToWideChar

• 0x44c448 ReadFile

• 0x44c44c RemoveDirectoryA

• 0x44c450 SearchPathA

• 0x44c454 SetCurrentDirectoryA

• 0x44c458 SetErrorMode

• 0x44c45c SetFileAttributesA

• 0x44c460 SetFilePointer

• 0x44c464 SetFileTime

• 0x44c468 Sleep

• 0x44c46c WaitForSingleObject

• 0x44c470 WriteFile

• 0x44c474 WritePrivateProfileStringA

• 0x44c478 lstrcatA

• 0x44c47c lstrcmpA

• 0x44c480 lstrcmpiA

• 0x44c484 lstrcpynA

• 0x44c488 lstrlenA

Library ole32.dll:

• 0x44c490 CoCreateInstance

• 0x44c494 CoTaskMemFree

• 0x44c498 OleInitialize

• 0x44c49c OleUninitialize

Library SHELL32.DLL:

• 0x44c4a4 SHBrowseForFolderA

• 0x44c4a8 SHFileOperationA

• 0x44c4ac SHGetFileInfoA

• 0x44c4b0 SHGetPathFromIDListA

• 0x44c4b4 SHGetSpecialFolderLocation

• 0x44c4b8 ShellExecuteA

Library USER32.dll:

• 0x44c4c0 AppendMenuA

• 0x44c4c4 BeginPaint

• 0x44c4c8 CallWindowProcA

• 0x44c4cc CharNextA

• 0x44c4d0 CharPrevA

• 0x44c4d4 CheckDlgButton

• 0x44c4d8 CloseClipboard

• 0x44c4dc CreateDialogParamA

• 0x44c4e0 CreatePopupMenu

• 0x44c4e4 CreateWindowExA

• 0x44c4e8 DefWindowProcA

• 0x44c4ec DestroyWindow

• 0x44c4f0 DialogBoxParamA

• 0x44c4f4 DispatchMessageA

• 0x44c4f8 DrawTextA

• 0x44c4fc EmptyClipboard

• 0x44c500 EnableMenuItem

• 0x44c504 EnableWindow

• 0x44c508 EndDialog

• 0x44c50c EndPaint

• 0x44c510 ExitWindowsEx

• 0x44c514 FillRect

• 0x44c518 FindWindowExA

• 0x44c51c GetClassInfoA

• 0x44c520 GetClientRect

• 0x44c524 GetDC

• 0x44c528 GetDlgItem

• 0x44c52c GetDlgItemTextA

• 0x44c530 GetMessagePos

• 0x44c534 GetSysColor

• 0x44c538 GetSystemMenu

• 0x44c53c GetSystemMetrics

• 0x44c540 GetWindowLongA

• 0x44c544 GetWindowRect

• 0x44c548 InvalidateRect

• 0x44c54c IsWindow

• 0x44c550 IsWindowEnabled

• 0x44c554 IsWindowVisible

• 0x44c558 LoadBitmapA

• 0x44c55c LoadCursorA

• 0x44c560 LoadImageA

• 0x44c564 MessageBoxIndirectA

• 0x44c568 OpenClipboard

• 0x44c56c PeekMessageA

• 0x44c570 PostQuitMessage

• 0x44c574 RegisterClassA

• 0x44c578 ScreenToClient

• 0x44c57c SendMessageA

• 0x44c580 SendMessageTimeoutA

• 0x44c584 SetClassLongA

• 0x44c588 SetClipboardData

• 0x44c58c SetCursor

• 0x44c590 SetDlgItemTextA

• 0x44c594 SetForegroundWindow

• 0x44c598 SetTimer

• 0x44c59c SetWindowLongA

• 0x44c5a0 SetWindowPos

• 0x44c5a4 SetWindowTextA

• 0x44c5a8 ShowWindow

• 0x44c5ac SystemParametersInfoA

• 0x44c5b0 TrackPopupMenu

• 0x44c5b4 wsprintfA

Library VERSION.dll:

• 0x44c5bc GetFileVersionInfoA

• 0x44c5c0 GetFileVersionInfoSizeA

• 0x44c5c4 VerQueryValueA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900
192.168.56.101	56540	239.255.255.250	3702
192.168.56.101	56807	239.255.255.250	1900
192.168.56.101	58368	239.255.255.250	3702
192.168.56.101	58707	239.255.255.250	3702

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.