| 查杀引擎 | 查杀结果 | 查杀时间 | 查杀版本 |
|---|---|---|---|
| Alibaba | Trojan:Win32/AutoitCrypt.180 | 20190527 | 0.3.0.5 |
| Baidu | 20190318 | 1.0.0.2 | |
| Avast | AutoIt:Injector-JF [Trj] | 20210102 | 21.1.5827.0 |
| Kingsoft | Win32.Troj.Undef.(kcloud) | 20210105 | 2017.9.26.565 |
| McAfee | Artemis!615E5DD90574 | 20210102 | 6.0.6.653 |
| Tencent | Malware.Win32.Gencirc.10b639e7 | 20210105 | 1.0.0.1 |
| CrowdStrike | win/malicious_confidence_80% (D) | 20190702 | 1.0 |
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1619513314.68585 GetComputerNameW |
computer_name:
OSKAR-PC
|
success | 1 | 0 |
|
1619513314.70185 GetComputerNameW |
computer_name:
OSKAR-PC
|
success | 1 | 0 |
| suspicious_features | POST method with no referer header | suspicious_request | POST https://update.googleapis.com/service/update2?cup2key=10:1447161241&cup2hreq=4aa6d1fe3c1b12ca94668c2e7161c878db5f7be1d13536e1c4555e9ba6292760 | ||||||
| domain | rem-pounds.ddns.net |
| request | HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe |
| request | HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619484744&mv=m&mvi=1&pl=23&shardbypass=yes |
| request | HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9857fb184c0e48b3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619484744&mv=m |
| request | GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9857fb184c0e48b3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619484744&mv=m |
| request | POST https://update.googleapis.com/service/update2?cup2key=10:1447161241&cup2hreq=4aa6d1fe3c1b12ca94668c2e7161c878db5f7be1d13536e1c4555e9ba6292760 |
| request | POST https://update.googleapis.com/service/update2?cup2key=10:1447161241&cup2hreq=4aa6d1fe3c1b12ca94668c2e7161c878db5f7be1d13536e1c4555e9ba6292760 |
| description | 615e5dd905741e5d1b836a26ac3d255c.exe tried to sleep 247 seconds, actually delayed analysis time by 247 seconds | |||
| file | C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WMPDMC.lnk |
| file | C:\Users\Administrator.Oskar-PC\AppData\Roaming\klist\drvinst.exe.bat |
| file | C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WMPDMC.lnk |
| file | C:\Users\Administrator.Oskar-PC\AppData\Roaming\klist\drvinst.exe.bat |
| process | 615e5dd905741e5d1b836a26ac3d255c.exe |
| buffer | Buffer with sha1: 9e1aaa3d54f5452f0460ed392e8a988af809a937 |
| buffer | Buffer with sha1: 6814db9bf5ba7822eda634d228c3f1c1bb18897b |
| host | 172.217.24.14 | |||
| host | 203.208.40.66 | |||
| file | C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WMPDMC.lnk |
| Time & API | Arguments | Status | Return | Repeated |
|---|---|---|---|---|
|
1619513315.13885 WriteProcessMemory |
process_identifier:
2868
buffer: �� � process_handle: 0x0000027c base_address: 0xfffde008 |
success | 1 | 0 |
| Bkav | W32.AIDetectVM.malware1 |
| Elastic | malicious (high confidence) |
| MicroWorld-eScan | Trojan.GenericKD.43769021 |
| FireEye | Generic.mg.615e5dd905741e5d |
| CAT-QuickHeal | Trojan.Script |
| ALYac | Trojan.GenericKD.43769021 |
| Cylance | Unsafe |
| Sangfor | Malware |
| K7AntiVirus | Trojan ( 0054f46e1 ) |
| Alibaba | Trojan:Win32/AutoitCrypt.180 |
| K7GW | Trojan ( 0054f46e1 ) |
| Cybereason | malicious.905741 |
| Arcabit | Trojan.Generic.D29BDCBD |
| BitDefenderTheta | AI:Packer.F34CB91817 |
| Cyren | W32/AutoIt.QF.gen!Eldorado |
| Symantec | Trojan.Gen.MBT |
| APEX | Malicious |
| Paloalto | generic.ml |
| ClamAV | Win.Malware.Nymeria-6993200-0 |
| Kaspersky | Trojan.Script.Obit.gen |
| BitDefender | Trojan.GenericKD.43769021 |
| NANO-Antivirus | Trojan.Win32.Dwn.hkyzbl |
| AegisLab | Hacktool.Win32.Gamehack.3!e |
| Avast | AutoIt:Injector-JF [Trj] |
| Rising | Trojan.Injector/Autoit!1.BB8F (CLASSIC) |
| Ad-Aware | Trojan.GenericKD.43769021 |
| Emsisoft | Trojan.GenericKD.43769021 (B) |
| Comodo | Malware@#xjqa7uis2wbn |
| F-Secure | Trojan.TR/Agent.gfdstr |
| DrWeb | Trojan.DownLoader28.40437 |
| VIPRE | Trojan.Win32.Generic!BT |
| TrendMicro | TROJ_GEN.R002C0DLB20 |
| McAfee-GW-Edition | BehavesLike.Win32.TrojanAitInject.dh |
| Sophos | Mal/Generic-R + Troj/AutoIt-DAW |
| Ikarus | Trojan.Autoit |
| Webroot | W32.Trojan.Gen |
| Avira | TR/Agent.gfdstr |
| Antiy-AVL | GrayWare/Autoit.ShellCode.a |
| Kingsoft | Win32.Troj.Undef.(kcloud) |
| Microsoft | Backdoor:Win32/Rescoms.C!bit |
| ZoneAlarm | Trojan.Script.Obit.gen |
| GData | Trojan.GenericKD.43769021 |
| Cynet | Malicious (score: 100) |
| McAfee | Artemis!615E5DD90574 |
| MAX | malware (ai score=89) |
| VBA32 | Backdoor.Remcos |
| Malwarebytes | Backdoor.Remcos |
| ESET-NOD32 | Win32/Rescoms.B |
| TrendMicro-HouseCall | TROJ_GEN.R002C0DLB20 |
| Tencent | Malware.Win32.Gencirc.10b639e7 |
No hosts contacted.
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 49183 | 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com | 80 |
| 192.168.56.101 | 49184 | 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com | 80 |
| 192.168.56.101 | 49180 | 203.208.41.34 update.googleapis.com | 443 |
| 192.168.56.101 | 49182 | 203.208.41.65 redirector.gvt1.com | 80 |
| Source | Source Port | Destination | Destination Port |
|---|---|---|---|
| 192.168.56.101 | 50568 | 114.114.114.114 | 53 |
| 192.168.56.101 | 51378 | 114.114.114.114 | 53 |
| 192.168.56.101 | 53657 | 114.114.114.114 | 53 |
| 192.168.56.101 | 55368 | 114.114.114.114 | 53 |
| 192.168.56.101 | 57874 | 114.114.114.114 | 53 |
| 192.168.56.101 | 60384 | 114.114.114.114 | 53 |
| 192.168.56.101 | 61680 | 114.114.114.114 | 53 |
| 192.168.56.101 | 62318 | 114.114.114.114 | 53 |
| 192.168.56.101 | 65004 | 114.114.114.114 | 53 |
| 192.168.56.101 | 137 | 192.168.56.255 | 137 |
| 192.168.56.101 | 138 | 192.168.56.255 | 138 |
| 192.168.56.101 | 49713 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 50534 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 51808 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 51963 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 56804 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 57756 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 62191 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 63429 | 224.0.0.252 | 5355 |
| 192.168.56.101 | 1900 | 239.255.255.250 | 1900 |
| URI | Data |
|---|---|
| http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9857fb184c0e48b3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619484744&mv=m | GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9857fb184c0e48b3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619484744&mv=m HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=33132-46981 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com |
| http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe | HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com |
| http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9857fb184c0e48b3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619484744&mv=m | GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9857fb184c0e48b3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619484744&mv=m HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=19740-33131 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com |
| http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9857fb184c0e48b3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619484744&mv=m | GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9857fb184c0e48b3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619484744&mv=m HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=0-7269 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com |
| http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9857fb184c0e48b3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619484744&mv=m | GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9857fb184c0e48b3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619484744&mv=m HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=7270-19739 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com |
| http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9857fb184c0e48b3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619484744&mv=m | HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9857fb184c0e48b3&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619484744&mv=m HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com |
| http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619484744&mv=m&mvi=1&pl=23&shardbypass=yes | HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619484744&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: */* Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o7dn7e.gvt1.com |
No ICMP traffic performed.
No IRC requests performed.
No Suricata Alerts
No Suricata TLS
No Snort Alerts