11.4
0-day
25 个模型检测该样本为恶意!
重新分析
更多

287a670ef47a8bc8f85dfc268cf8c93822dcc801e975d3f15d84003fb7408069

61a09e6a96c661afcaf379e197720cd5.exe

分析耗时

102s

最近分析

文件大小

6.2MB
静态报毒 动态报毒 ADCARE ADVANCEDPCCARE ADVPASSMAN AI SCORE=67 EGRK FILEREPMETAGEN FQRTBS GENERIC PUA MF HIGH CONFIDENCE HOAX MALWARE@#PY37I0ZLEUZ7 OPTIMIZER OPTIMLOADER R002H07CF20 SPEEDCHECKER UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee AdvPassMan 20200318 6.0.6.653
Alibaba 20190527 0.3.0.5
CrowdStrike 20190702 1.0
Baidu 20190318 1.0.0.2
Avast 20200318 18.4.3895.0
Kingsoft 20200318 2013.8.14.323
Tencent 20200318 1.0.0.1
静态指标
Queries for the computername (10 个事件)
Time & API Arguments Status Return Repeated
1619518343.410249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619518348.925249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619518349.254249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619518349.394249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619518349.675249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619517931.302895
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619517931.521895
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619518338.784876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619518339.268374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619518361.831751
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619518337.190374
IsDebuggerPresent
failed 0 0
1619518352.253751
IsDebuggerPresent
failed 0 0
Command line console output was observed (3 个事件)
Time & API Arguments Status Return Repeated
1619518338.799876
WriteConsoleW
buffer: 错误:
console_handle: 0x0000000b
success 1 0
1619518338.799876
WriteConsoleW
buffer: 系统找不到指定的文件。
console_handle: 0x0000000b
success 1 0
1619518339.674374
WriteConsoleW
buffer: 错误: 没有找到进程 "apmui.exe"。
console_handle: 0x0000000b
success 1 0
Uses Windows APIs to generate a cryptographic key (4 个事件)
Time & API Arguments Status Return Repeated
1619518356.159751
CryptExportKey
crypto_handle: 0x009914d8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619518358.315751
CryptExportKey
crypto_handle: 0x00991b98
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619518359.596751
CryptExportKey
crypto_handle: 0x00991d58
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619518359.721751
CryptExportKey
crypto_handle: 0x00991e18
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
This executable is signed
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619518338.379249
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .itext
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (5 个事件)
suspicious_features GET method with no useragent header suspicious_request GET http://cc.advancedpasswordmanager.com/ProductPrice.svc/getcountrycode
suspicious_features GET method with no useragent header suspicious_request GET http://www.advancedpasswordmanager.com/getIpAddress.asp
suspicious_features GET method with no useragent header suspicious_request GET http://trkr.advancedpasswordmanager.com/ipfiles/59_50_85_19.txt
suspicious_features GET method with no useragent header suspicious_request GET https://www.advancedpasswordmanager.com/getIpAddress.asp
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:1847206444&cup2hreq=05bfe7f7155fa804af3013fb21e53850123bf7d6a7c2b57e09fd6c7597d30c11
Performs some HTTP requests (10 个事件)
request GET http://cc.advancedpasswordmanager.com/ProductPrice.svc/getcountrycode
request GET http://www.advancedpasswordmanager.com/getIpAddress.asp
request GET http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
request GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request GET http://trkr.advancedpasswordmanager.com/ipfiles/59_50_85_19.txt
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619489065&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e3b90326b33cd02c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619489065&mv=m
request GET https://www.advancedpasswordmanager.com/getIpAddress.asp
request POST https://update.googleapis.com/service/update2?cup2key=10:1847206444&cup2hreq=05bfe7f7155fa804af3013fb21e53850123bf7d6a7c2b57e09fd6c7597d30c11
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:1847206444&cup2hreq=05bfe7f7155fa804af3013fb21e53850123bf7d6a7c2b57e09fd6c7597d30c11
Allocates read-write-execute memory (usually to unpack itself) (50 out of 229 个事件)
Time & API Arguments Status Return Repeated
1619518336.893374
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619518336.893374
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 69632
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1619518336.893374
NtProtectVirtualMemory
process_identifier: 784
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 110592
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0041b000
success 0 0
1619518337.519249
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00550000
success 0 0
1619517980.646895
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00000000045c0000
success 0 0
1619518351.393751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00630000
success 0 0
1619518351.393751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006c0000
success 0 0
1619518352.065751
NtProtectVirtualMemory
process_identifier: 3236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x72431000
success 0 0
1619518352.268751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0066a000
success 0 0
1619518352.268751
NtProtectVirtualMemory
process_identifier: 3236
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x72432000
success 0 0
1619518352.268751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00662000
success 0 0
1619518352.612751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00672000
success 0 0
1619518352.815751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00673000
success 0 0
1619518352.846751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006ab000
success 0 0
1619518352.846751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006a7000
success 0 0
1619518352.878751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0067c000
success 0 0
1619518352.971751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00675000
success 0 0
1619518353.003751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a0000
success 0 0
1619518353.909751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00676000
success 0 0
1619518353.956751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00677000
success 0 0
1619518354.424751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00678000
success 0 0
1619518354.471751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00679000
success 0 0
1619518354.471751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b0000
success 0 0
1619518354.706751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00686000
success 0 0
1619518354.706751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0068a000
success 0 0
1619518354.706751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00687000
success 0 0
1619518354.737751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0069a000
success 0 0
1619518354.815751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b1000
success 0 0
1619518354.831751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b2000
success 0 0
1619518355.346751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b3000
success 0 0
1619518355.378751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x006a5000
success 0 0
1619518355.378751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0066b000
success 0 0
1619518355.518751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008a1000
success 0 0
1619518355.549751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0067d000
success 0 0
1619518355.565751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b4000
success 0 0
1619518355.581751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0067a000
success 0 0
1619518355.628751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b5000
success 0 0
1619518355.753751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b6000
success 0 0
1619518355.753751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b7000
success 0 0
1619518355.753751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b8000
success 0 0
1619518355.768751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008b9000
success 0 0
1619518355.768751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008ba000
success 0 0
1619518355.768751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008bb000
success 0 0
1619518355.768751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0067e000
success 0 0
1619518355.768751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008bc000
success 0 0
1619518355.799751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008bd000
success 0 0
1619518355.831751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008be000
success 0 0
1619518355.831751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008bf000
success 0 0
1619518355.831751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02370000
success 0 0
1619518355.831751
NtAllocateVirtualMemory
process_identifier: 3236
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02371000
success 0 0
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 个事件)
Time & API Arguments Status Return Repeated
1619517932.849895
GetDiskFreeSpaceExW
root_path: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Explorer
free_bytes_available: 19451600896
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
Creates executable files on the filesystem (6 个事件)
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced Password Manager\Buy Advanced Password Manager.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced Password Manager\Advanced Password Manager.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-T0D35.tmp\_isetup\_shfoldr.dll
file C:\Users\Public\Desktop\Advanced Password Manager.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-T0D35.tmp\isxdl.dll
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced Password Manager\Uninstall Advanced Password Manager.lnk
Creates a shortcut to an executable file (6 个事件)
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced Password Manager\Buy Advanced Password Manager.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced Password Manager\Advanced Password Manager.lnk
file C:\Users\Public\Desktop\Advanced Password Manager.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Advanced Password Manager\Uninstall Advanced Password Manager.lnk
file C:\Program Files (x86)\Advanced Password Manager\Buy Advanced Password Manager.lnk
file C:\Users\Public\Desktop\Google Chrome.lnk
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /delete /tn "Advanced Password Manager_launcher" /f
cmdline schtasks.exe /delete /tn "Advanced Password Manager_launcher" /f
Drops an executable to the user AppData folder (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-T0D35.tmp\_isetup\_shfoldr.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-T0D35.tmp\isxdl.dll
Executes one or more WMI queries (1 个事件)
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "apmui.exe")
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1619518338.582249
ShellExecuteExW
parameters: /delete /tn "Advanced Password Manager_launcher" /f
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
1619518338.660249
ShellExecuteExW
parameters: /f /im "apmui.exe"
filepath: taskkill.exe
filepath_r: taskkill.exe
show_type: 0
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619518361.987751
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619518339.253374
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Queries for potentially installed applications (4 个事件)
Time & API Arguments Status Return Repeated
1619518341.816249
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\71723B41-6F23-4C9E-9F4E-85CBA89639C2_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\71723B41-6F23-4C9E-9F4E-85CBA89639C2_is1
options: 0
failed 2 0
1619518341.816249
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\71723B41-6F23-4C9E-9F4E-85CBA89639C2_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\71723B41-6F23-4C9E-9F4E-85CBA89639C2_is1
options: 0
failed 2 0
1619518350.504249
RegOpenKeyExW
access: 0x00000008
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\71723B41-6F23-4C9E-9F4E-85CBA89639C2_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\71723B41-6F23-4C9E-9F4E-85CBA89639C2_is1
options: 0
failed 2 0
1619518350.519249
RegOpenKeyExW
access: 0x00000008
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\71723B41-6F23-4C9E-9F4E-85CBA89639C2_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\71723B41-6F23-4C9E-9F4E-85CBA89639C2_is1
options: 0
failed 2 0
Uses Windows utilities for basic Windows functionality (4 个事件)
cmdline "C:\Windows\System32\taskkill.exe" /f /im "apmui.exe"
cmdline "C:\Windows\System32\schtasks.exe" /delete /tn "Advanced Password Manager_launcher" /f
cmdline taskkill.exe /f /im "apmui.exe"
cmdline schtasks.exe /delete /tn "Advanced Password Manager_launcher" /f
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Attempts to create or modify system certificates (1 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob
Generates some ICMP traffic
File has been identified by 25 AntiVirus engines on VirusTotal as malicious (25 个事件)
McAfee AdvPassMan
Cylance Unsafe
ClamAV Win.Malware.Hoax-6878683-0
Kaspersky HEUR:Hoax.MSIL.Optimizer.gen
NANO-Antivirus Riskware.Win32.OptimLoader.fqrtbs
Emsisoft Application.AdCare (A)
Comodo Malware@#py37i0zleuz7
DrWeb Program.Unwanted.1561
Invincea heuristic
McAfee-GW-Edition AdvPassMan
Sophos Generic PUA MF (PUA)
Cyren W32/Trojan.EGRK-2050
MAX malware (ai score=67)
Microsoft PUA:Win32/SpeedChecker
Endgame malicious (high confidence)
ZoneAlarm HEUR:Hoax.MSIL.Optimizer.gen
AhnLab-V3 Malware/Gen.Generic.C3138068
Malwarebytes PUP.Optional.AdvancedPCCare
ESET-NOD32 a variant of MSIL/AdvancedPcCare.B potentially unwanted
TrendMicro-HouseCall TROJ_GEN.R002H07CF20
Yandex Riskware.Agent!
Fortinet Riskware/AdvPassMan
AVG FileRepMetagen [Malware]
Cybereason malicious.c42bbc
Qihoo-360 Win32/Trojan.Hoax.311
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 142.250.66.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2014-07-09 15:58:13

Imports

Library oleaut32.dll:
0x4192fc SysFreeString
0x419300 SysReAllocStringLen
0x419304 SysAllocStringLen
Library advapi32.dll:
0x41930c RegQueryValueExW
0x419310 RegOpenKeyExW
0x419314 RegCloseKey
Library user32.dll:
0x41931c GetKeyboardType
0x419320 LoadStringW
0x419324 MessageBoxA
0x419328 CharNextW
Library kernel32.dll:
0x419330 GetACP
0x419334 Sleep
0x419338 VirtualFree
0x41933c VirtualAlloc
0x419340 GetSystemInfo
0x419344 GetTickCount
0x41934c GetVersion
0x419350 GetCurrentThreadId
0x419354 VirtualQuery
0x419358 WideCharToMultiByte
0x41935c MultiByteToWideChar
0x419360 lstrlenW
0x419364 lstrcpynW
0x419368 LoadLibraryExW
0x41936c GetThreadLocale
0x419370 GetStartupInfoA
0x419374 GetProcAddress
0x419378 GetModuleHandleW
0x41937c GetModuleFileNameW
0x419380 GetLocaleInfoW
0x419384 GetCommandLineW
0x419388 FreeLibrary
0x41938c FindFirstFileW
0x419390 FindClose
0x419394 ExitProcess
0x419398 WriteFile
0x4193a0 RtlUnwind
0x4193a4 RaiseException
0x4193a8 GetStdHandle
0x4193ac CloseHandle
Library kernel32.dll:
0x4193b4 TlsSetValue
0x4193b8 TlsGetValue
0x4193bc LocalAlloc
0x4193c0 GetModuleHandleW
Library user32.dll:
0x4193c8 CreateWindowExW
0x4193cc TranslateMessage
0x4193d0 SetWindowLongW
0x4193d4 PeekMessageW
0x4193dc MessageBoxW
0x4193e0 LoadStringW
0x4193e4 GetSystemMetrics
0x4193e8 ExitWindowsEx
0x4193ec DispatchMessageW
0x4193f0 DestroyWindow
0x4193f4 CharUpperBuffW
0x4193f8 CallWindowProcW
Library kernel32.dll:
0x419400 WriteFile
0x419404 WideCharToMultiByte
0x419408 WaitForSingleObject
0x41940c VirtualQuery
0x419410 VirtualProtect
0x419414 VirtualFree
0x419418 VirtualAlloc
0x41941c SizeofResource
0x419420 SignalObjectAndWait
0x419424 SetLastError
0x419428 SetFilePointer
0x41942c SetEvent
0x419430 SetErrorMode
0x419434 SetEndOfFile
0x419438 ResetEvent
0x41943c RemoveDirectoryW
0x419440 ReadFile
0x419444 MultiByteToWideChar
0x419448 LockResource
0x41944c LoadResource
0x419450 LoadLibraryW
0x419458 GetVersionExW
0x419460 GetThreadLocale
0x419464 GetSystemInfo
0x419468 GetStdHandle
0x41946c GetProcAddress
0x419470 GetModuleHandleW
0x419474 GetModuleFileNameW
0x419478 GetLocaleInfoW
0x41947c GetLastError
0x419480 GetFullPathNameW
0x419484 GetFileSize
0x419488 GetFileAttributesW
0x41948c GetExitCodeProcess
0x419494 GetDiskFreeSpaceW
0x419498 GetCurrentProcess
0x41949c GetCommandLineW
0x4194a0 GetCPInfo
0x4194a4 InterlockedExchange
0x4194ac FreeLibrary
0x4194b0 FormatMessageW
0x4194b4 FindResourceW
0x4194b8 EnumCalendarInfoW
0x4194bc DeleteFileW
0x4194c0 CreateProcessW
0x4194c4 CreateFileW
0x4194c8 CreateEventW
0x4194cc CreateDirectoryW
0x4194d0 CloseHandle
Library advapi32.dll:
0x4194d8 RegQueryValueExW
0x4194dc RegOpenKeyExW
0x4194e0 RegCloseKey
0x4194e4 OpenProcessToken
Library comctl32.dll:
0x4194f0 InitCommonControls
Library kernel32.dll:
0x4194f8 Sleep
Library advapi32.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49206 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49207 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49204 113.108.239.226 update.googleapis.com 443
192.168.56.101 49199 124.225.105.97 www.download.windowsupdate.com 80
192.168.56.101 49205 203.208.50.33 redirector.gvt1.com 80
192.168.56.101 49200 203.77.190.0 trkr.advancedpasswordmanager.com 80
192.168.56.101 49193 216.245.208.194 cc.advancedpasswordmanager.com 80
192.168.56.101 49194 216.245.208.195 www.advancedpasswordmanager.com 80
192.168.56.101 49195 216.245.208.195 www.advancedpasswordmanager.com 443
192.168.56.101 49196 91.199.212.52 crt.usertrust.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58070 224.0.0.252 5355
192.168.56.101 60088 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60221 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
http://www.advancedpasswordmanager.com/getIpAddress.asp 
GET /getIpAddress.asp HTTP/1.1
Host: www.advancedpasswordmanager.com
Cache-Control: no-store,no-cache
Pragma: no-cache
Connection: Keep-Alive
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e3b90326b33cd02c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619489065&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e3b90326b33cd02c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619489065&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt 
GET /USERTrustRSAAddTrustCA.crt HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crt.usertrust.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619489065&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619489065&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://trkr.advancedpasswordmanager.com/ipfiles/59_50_85_19.txt 
GET /ipfiles/59_50_85_19.txt HTTP/1.1
Host: trkr.advancedpasswordmanager.com
Cache-Control: no-store,no-cache
Pragma: no-cache
Connection: Keep-Alive
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
http://cc.advancedpasswordmanager.com/ProductPrice.svc/getcountrycode 
GET /ProductPrice.svc/getcountrycode HTTP/1.1
Host: cc.advancedpasswordmanager.com
Cache-Control: no-store,no-cache
Pragma: no-cache
Connection: Keep-Alive

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.