SmartHawk

10.2

0-day

18 个模型检测该样本为恶意！

重新分析

下载样本

7eb06901c944384abc78e41d5ca738b849fdb433700935cb7b0996571b96ca4c

67107c14d28a9c980269879f96b91948.exe

分析耗时

105s

最近分析

文件大小

893.1KB

静态报毒动态报毒 ARTEMIS CLASSIC CONFIDENCE CROSSRIDER GENERIC PUA FH GRAYWARE HFSADWARE HIGH CONFIDENCE PLAYTECH UNSAFE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba		20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_80% (D)	20190702	1.0
Avast		20191114	18.4.3895.0
Tencent		20191114	1.0.0.1
Baidu		20190318	1.0.0.2
Kingsoft		20191114	2013.8.14.323
McAfee	Artemis!67107C14D28A	20191113	6.0.6.653

This executable is signed

Tries to locate where the browsers are installed (3 个事件)

registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
registry	HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Mozilla Firefox
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620762718.62475 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.ndata

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (14 个事件)

request	GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request	GET http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
request	GET http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
request	GET http://fallback.playtech-installer.com/playtech_compressed_assets/titan_poker/index.7ze
request	GET http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEHSfdSPcp6pyLdnEz5lZ6ec%3D
request	GET http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
request	GET http://fallback.playtech-installer.com/playtech_compressed_assets/titan_poker/templates/installer/new_feb_17.7ze
request	GET http://cache.download.titen-poker.com/download/poker/client_update_urls.php
request	GET http://cache.download.titen-poker.com/download/poker/20.7.6.7/casino[en].cab
request	GET https://t8u4n6u7.ssl.hwcdn.net/stats.gif?data=arU7k2n8zbtZLSz8oUiYOtSeUaqpoftuwqshVTPVshmKeFE8ewczsY2pntRKmVRXxMuOOZc16MQRzgL2o1E4FVaBBa6AGal%2B4nngJ6zN64B7wZqjyHIVl%2Bzd38c87KBRDLoj15tL01%2BSoQqr7IDYi%2BZwNiZ70XEAtNR8%2Bacz6MISYl036Ku78FDsMYDHRYSldqeQVABSW8y5YuwWA5o19nWrDWHruvaVHDGR%2F2162jadV2QdU3zt%2FmP4038AqFGIkiR89iogA6F7NNlOfk1m6XuirLjS55EJa76gsqNFXPYOXLTPPR3NK6l3JD%2F%2BuY8%2BGDg1iVjLSbE7RQ1tv%2FOjENmVQIglBbO14%2BMpjBLPZrM9JOFz5UV7IIbn6OFZPNNnTRLBhbH98%2BCGAfFCgSFW%2F%2FVwmJrh4Lui%2BJWa9O0Ml3VJadW5%2BcGjk39r28a7q72%2FMKmbPX5atIMWe%2BFHJFbp2rTQYX6d%2FRe0l1HpZOYhoE6xE7yACd5y%2B%2BowbZxwPKuxiVIrDhZnEpgYZWF5HXgcMmOb6RBxzjE9HpabUCqer9CEj4x3lVxpiiN7InpeTF%2FosEM2cCslM06LPkyt6RHElUuKKKq1lVKzKkhww9kp2GTAjX9sUcTjUpRS%2Bbyym%2FfBueTAU09qH6pa8tJqZ817PHhzUS2Z1RcARZwI1V%2By0SQ%3D
request	GET https://c6m7w2m9.ssl.hwcdn.net/playtech_compressed_assets/titan_poker/templates/installer/new_feb_17.7ze
request	GET https://t8u4n6u7.ssl.hwcdn.net/stats.gif?data=TrcmEwnVznV9tr4cTq2%2BYgLKygxVLKhqAXzrcYWHvwXz5tMre5SFdYHpqxCMTR4LzfIg%2F%2FAtpTu%2Bt2K9cVR8kWj24y2%2F%2F2UlInNBnq4gQ6Qzv5EQQXOAzaV5jqXw64w1f8u1YkKwqIEbb9DdMln8Uyh8AeNblDcDzSyopTHE0Sw5nZUmMUUdN0KZTAqzJX6%2FT6FWM48qkQGk6ilEHKk4p5Yz1oZAidJrKfCdyFpeP%2BX9wdIGs1JGnHq66IyV0LD5von4GdgeesYIy4Z3HRa4BzqD78UbM7XrUwAEtFrXYzjxKNSQBLWq%2FRJq79tgKoV1j1qtgng%2BBAeksA1VnVFioOWuAipfh0QNqcBcC%2BG427rqMTRd0gHIlAIt3wzqjOcnXAogNDkwTq5F675FwiD3BK2%2BAC0SwAGX9cXFrtB81KFNHcP39vdkn7L5W26kEXL1K7Uwu20hFM1sag4e75Z34l%2B7g9jlXyX81UgPn%2BS3QfXdzxSYoYLkeRRmYyc9mE%2F8vzy2mbVvD2RNPHTvgLEhDypuPuG1LMpTYI4UT38FTvqTB93a5lpJeaAhSbt0oTwul%2FWk61VOPJCiYHtEZKC7ntXhlNjkyiiRpmoioaEI6GR8y0BH8Xa7oKyBK3oh1%2B%2FekrfnRG3cmWNuK8z1tMZWL8RCS9ie3l8LO6Befq1Ol1nPlbhJG3ZW29Zl8KicwmY%2FQADuB%2FF6zPyvslkdDRL0463OUduOTliSuQ7dkqem6oR7LQL29TMJwLSpBsruuftVRqIBi7yYzttm9iY6ZF42XcHtWPFWYy4kc4vMJmDvvUnWyIhq2Ecd6YXbEpT2Em1BOhkVjIOwGBH1HAgAtlM4tPJiR3YaKCMhi9e3X8atTxUVkjX%2BXeGtvTjqf296BMB6OPTsrteKRTg%2BmCFlDZEgluk%2BeC%2BWq%2BJZNPexMQS7QN9P4I55Ij6fusNROS52ePFEcBccTFzJvnngHxzM9EqGQTbMMb6bQpyCN4voMHJINFpmVdaCohfUCQQiA62vT8UT1av6OWMfJPdiCrgriADsvf8IPXpcpgbPXs0BxBmsBORwwST3ZJdSRwsWSzca8hIjEYPYiWqoCKGtqoccHLNXFjKYPAbJhC1GEaa4LFOT2j9JXk6MZYSuz3myuploIHte7LPQWlwVF2rwic8Xrs7UxpXxGSWMvEBZvAB%2BTAflgkNLxEIXQ8F5Q1a0XbZPQR9gmvEUnRTxoTvWbDqFcao%2F0hivWutmN5yet%2FFWMIR2GlwHk6e7psVhKl3r6nrT4xo7ls2bwkrvRjgre95VxswEItz2hbWjX4ea564eAKu8MIrmoOhPWWaHJ7t7j0hKPVBFokl7OHadrmNm%2FBL2HeZW2Q%3D%3D
request	GET https://t8u4n6u7.ssl.hwcdn.net/stats.gif?data=JF%2B9KoZ4UtBLV%2F7%2BrMrP9BbK%2B%2Ft8q8EuBZSenqRAXAW8izy55kRpJOs%2BQmxgHiJETxjR5LqBURN7w6HsiHIJ86MfbkQ8KdTKOCkt3R1lMoyW85nVLKrm4K82sA7Bz3DhTla7CrVeT4awGaDDOuV76kemN2GTTFhce4ETE33pUBgwE%2F03vcSiWBhw0d27PtUp6VnUYXFzRlJJ4lLcUvK527rwwUm5OrGRxsKtC%2BiF3Y2Lr2N%2F5t%2FofExsmfNG%2Bg0Adc2C9Ewm22VXV%2B9mAZB6ZJkLGaqIv%2BhtDX%2BNupbsbMYCsjauHmbzmusedvAfBiiBhWsWqgap4uxCbQWpxwto%2BzmC1dHTzwxGWZ20Nn%2FX%2FSopToOYUX%2Bn8aFFyUq7%2FptbZxsXkYEHkUyTys%2FvKFmsDwC2AQV7ZfvhOZFh%2Fd13VnAfJbRRcCHbbAUPvHrzkWKRXlt2KAcpp2QGbHLRd3KYDhU%2F332C4Pt08%2Bys9SVVlDylPdSqvxOFZKdNyybRLaDBN1ZkybLdsOkYkDbQeHTJ1%2B7O0FcN6%2F8%2BlLV9qJxh%2B47HzPcn7hCvjdqV2W6rQJgGDbYkQ7VCPRDciqTjjtVDegoo1PJV6YEEMnL36wDFRIi9H0Be8YCdDtV9bcGDoyys%2BpTkEmfpqvU6Sw6nV7i6BsIwRxS5TWgb6Xa4UBN15zQ%3D
request	GET https://t8u4n6u7.ssl.hwcdn.net/stats.gif?data=OREq9iAVwRJFC8MZWtwcNbBdEshuhi%2BA7wopffP7J6RCbV8EVH8oPT%2FPOmS4BO4NjgYadVf1MdWMYklR19%2BSyqtdPx61BJN9QUSVd%2FqeXFntApEGRpwZQXZJmyQKqL7QLQ6186m789o1nAe38sfdSh6jO%2BBgEuptsOId4O0MCKHrLq%2BNYyVdM3%2Fx%2FMTSWNJqk3IvYPIy7XDUCNi2uSqpi4LRi5Qeoybq7tUGAVhwxO8sl%2F6cdHq5JJ2akjLgi90ZZteu0LU6u%2FVyWL1VjDAnUbbHrCGrZBfViHSONd1AakmneTASQUujcfdyeNL0IE3CYynjNN%2Fa1RYBvtK5Ib3Ap7gyeVSq1L6tUhGr796TIIHiLhgTj2N9ZzA6Konxnfmvvmjk1v54ootEmjyHH0qXxTE8hMlWlaxR5IcoEHdGAJEY%2B4k0gHdd7KuNrSk0wdyMTS%2B58NGvInYBBSFjHAIjmedrqfLLfi66zE1RhtyOyoKgMj5MAWMKETKC8pR5tkLkMF9ByyHOfHtnWP8iPc3W2g6%2BzYHxjj2f%2B7qiL%2FzTGLlN8sWjp4kCMkWpAO4a9CDMFuhVPSNg%2BvaLmL3C7hhulQwJsYoTIJesupOJ0hngvXourJc3W%2BS4vqzXhRXFZJFnuZkclngXi919ADCMlPi2TSkxja%2FNJmIYjTEWjqouLMNX6iJs6xpFbdX0eIkEkoUfbVKbrWzYhaiEU9CPQKw2IZxvNEdFnWHE5n6OaFV%2BKIeBux1Vtuxz4qmzimMXFPhPshUFsQoC%2Be9b0NGUGuURIenLzB8aLbb4HqUr3t6WlQXuq8ljb5tzPN%2BftpBOinb8GMdqJ%2F52NINheUppN3%2FouuW%2FvExzCJ6HSJ8O%2B2%2FqFpAcS50rp13Ae0RvUZyDkwe4sO05eF0Wtq2YSoB6iqs%2F3T4vsvi4QtHG7vQTTxEAbwDif9Jy148fiOnC9%2BX5MaxihNm1Qe5QmgX0f4Fdp1znygvOrsAay0TTwgd7%2F0vJLUISc9d5vxxEviBJlsQOcH7sc74tvuWl1HiPqAKYPFbKEZUWRWOgMaN4T3d%2Bpc4Y%2FE8HROVuNtVxIUpDfX6%2F09FC73%2Bd02tDBR%2BokWU0hn%2B8182ErcdZBpwiRZLQIkc6ASplEOBnDawj8mDgw8VxnLbJ0nmB1XbNYGcEaL7NGwmHewDk9Xm0%2BV9EjhsqF2Yb169z8l7PdCsBNh8sXGAEPaXuqN73lsVadkOrGH7gB3KNmPr0%2Fx%2B5jaMXPr80hpAur02WWFe%2FXPPLvX%2BKtQmU1myc71dJikFlgSPenoS9vO45esTmzWeSdA4hcOEEgvYmIsgPNEWibSERyjKwJiqU5Ylc9%2BlXDDiVcPjxsjchGR68vw%3D%3D

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620762728.279563 NtAllocateVirtualMemory	process_identifier: 1320 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x02ad0000	success	0	0
1620762783.0005 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000004790000	success	0	0

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Steals private information from local Internet browsers (2 个事件)

registry	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox
registry	HKEY_CURRENT_USER\Software\Mozilla\Mozilla Firefox

Creates executable files on the filesystem (3 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsd8615.tmp\internal67107c14d28a9c980269879f96b91948.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsd8615.tmp\StdUtils.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7E445B4025204A1B8523E0412B43BF52\new_feb_17\js\template.js

Drops an executable to the user AppData folder (2 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsd8615.tmp\StdUtils.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsd8615.tmp\internal67107c14d28a9c980269879f96b91948.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (47 个事件)

Time & API	Arguments	Status	Return
1620762728.889563 Process32FirstW	process_name: [System Process] snapshot_handle: 0x000003a8 process_identifier: 0	success	1
1620762728.889563 Process32NextW	process_name: System snapshot_handle: 0x000003a8 process_identifier: 4	success	1
1620762728.889563 Process32NextW	process_name: smss.exe snapshot_handle: 0x000003a8 process_identifier: 276	success	1
1620762728.889563 Process32NextW	process_name: csrss.exe snapshot_handle: 0x000003a8 process_identifier: 372	success	1
1620762728.889563 Process32NextW	process_name: csrss.exe snapshot_handle: 0x000003a8 process_identifier: 424	success	1
1620762728.889563 Process32NextW	process_name: wininit.exe snapshot_handle: 0x000003a8 process_identifier: 432	success	1
1620762728.889563 Process32NextW	process_name: services.exe snapshot_handle: 0x000003a8 process_identifier: 476	success	1
1620762728.889563 Process32NextW	process_name: winlogon.exe snapshot_handle: 0x000003a8 process_identifier: 508	success	1
1620762728.889563 Process32NextW	process_name: lsass.exe snapshot_handle: 0x000003a8 process_identifier: 536	success	1
1620762728.889563 Process32NextW	process_name: lsm.exe snapshot_handle: 0x000003a8 process_identifier: 544	success	1
1620762728.889563 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000003a8 process_identifier: 656	success	1
1620762728.889563 Process32NextW	process_name: VBoxService.exe snapshot_handle: 0x000003a8 process_identifier: 720	success	1
1620762728.889563 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000003a8 process_identifier: 788	success	1
1620762728.889563 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000003a8 process_identifier: 868	success	1
1620762728.889563 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000003a8 process_identifier: 924	success	1
1620762728.889563 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000003a8 process_identifier: 956	success	1
1620762728.889563 Process32NextW	process_name: audiodg.exe snapshot_handle: 0x000003a8 process_identifier: 112	success	1
1620762728.889563 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000003a8 process_identifier: 540	success	1
1620762728.889563 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000003a8 process_identifier: 1080	success	1
1620762728.889563 Process32NextW	process_name: spoolsv.exe snapshot_handle: 0x000003a8 process_identifier: 1260	success	1
1620762728.889563 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000003a8 process_identifier: 1288	success	1
1620762728.889563 Process32NextW	process_name: taskhost.exe snapshot_handle: 0x000003a8 process_identifier: 1336	success	1
1620762728.889563 Process32NextW	process_name: dwm.exe snapshot_handle: 0x000003a8 process_identifier: 1384	success	1
1620762728.889563 Process32NextW	process_name: explorer.exe snapshot_handle: 0x000003a8 process_identifier: 1424	success	1
1620762728.889563 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000003a8 process_identifier: 1592	success	1
1620762728.889563 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000003a8 process_identifier: 1980	success	1
1620762728.889563 Process32NextW	process_name: taskeng.exe snapshot_handle: 0x000003a8 process_identifier: 1240	success	1
1620762728.889563 Process32NextW	process_name: VBoxTray.exe snapshot_handle: 0x000003a8 process_identifier: 2072	success	1
1620762728.889563 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x000003a8 process_identifier: 2224	success	1
1620762728.889563 Process32NextW	process_name: SearchIndexer.exe snapshot_handle: 0x000003a8 process_identifier: 2380	success	1
1620762728.889563 Process32NextW	process_name: wmpnetwk.exe snapshot_handle: 0x000003a8 process_identifier: 2460	success	1
1620762728.889563 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x000003a8 process_identifier: 2672	success	1
1620762728.889563 Process32NextW	process_name: SearchProtocolHost.exe snapshot_handle: 0x000003a8 process_identifier: 2744	success	1
1620762728.889563 Process32NextW	process_name: SearchFilterHost.exe snapshot_handle: 0x000003a8 process_identifier: 2784	success	1
1620762728.889563 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000003a8 process_identifier: 2884	success	1
1620762728.889563 Process32NextW	process_name: pythonw.exe snapshot_handle: 0x000003a8 process_identifier: 2132	success	1
1620762728.889563 Process32NextW	process_name: pythonw.exe snapshot_handle: 0x000003a8 process_identifier: 1632	success	1
1620762728.889563 Process32NextW	process_name: taskhost.exe snapshot_handle: 0x000003a8 process_identifier: 2824	success	1
1620762728.889563 Process32NextW	process_name: 67107c14d28a9c980269879f96b91948.exe snapshot_handle: 0x000003a8 process_identifier: 1804	success	1
1620762728.889563 Process32NextW	process_name: internal67107c14d28a9c980269879f96b91948.exe snapshot_handle: 0x000003a8 process_identifier: 1320	success	1
1620762778.686563 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x0000087c process_identifier: 3220	success	1
1620762778.686563 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x0000087c process_identifier: 3248	success	1
1620762778.686563 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x0000087c process_identifier: 3320	success	1
1620762778.686563 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x0000087c process_identifier: 3352	success	1
1620762778.686563 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x0000087c process_identifier: 3396	success	1
1620762778.686563 Process32NextW	process_name: sppsvc.exe snapshot_handle: 0x0000087c process_identifier: 3464	success	1
1620762778.686563 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x0000087c process_identifier: 3608	success	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620762729.170563 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 个事件)

Time & API	Arguments	Status	Return
1620762778.686563 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1620762778.686563 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1620762778.701563 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1
1620762778.701563 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1

Queries for potentially installed applications (6 个事件)

Time & API	Arguments	Status	Return
1620762720.608563 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	failed	2
1620762720.608563 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x000000dc regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	success	0
1620762760.092563 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	failed	2
1620762760.092563 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000860 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	success	0
1620762760.108563 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	failed	2
1620762760.108563 RegOpenKeyExW	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000860 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome options: 0	success	0

Reads the systems User Agent and subsequently performs requests (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620762760.123563 InternetOpenW	proxy_bypass: access_type: 0 proxy_name: flags: 0 user_agent: Playtech WinClient Downloader/1.0	success	13369356	0

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 个事件)

Bkav	W32.HfsAdware.D664
CAT-QuickHeal	Trojan.Agent
K7AntiVirus	Adware ( 005513a71 )
K7GW	Adware ( 005513a71 )
CrowdStrike	win/malicious_confidence_80% (D)
Invincea	heuristic
ESET-NOD32	Win32/PlayTech.A potentially unwanted
APEX	Malicious
Paloalto	generic.ml
McAfee-GW-Edition	BehavesLike.Win32.Suspicious.cc
Sophos	Generic PUA FH (PUA)
Antiy-AVL	GrayWare[AdWare]/Win32.PlayTech.a
Microsoft	PUA:Win32/Playtech
Endgame	malicious (high confidence)
McAfee	Artemis!67107C14D28A
Cylance	Unsafe
Rising	PUF.PlayTech!1.B889 (CLASSIC)
Fortinet	Riskware/CrossRider

Attempts to create or modify system certificates (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)

Time & API	Arguments	Status
1620762731.811563 RegSetValueExA	key_handle: 0x00000524 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620762731.811563 RegSetValueExA	key_handle: 0x00000524 value: p`F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620762731.811563 RegSetValueExA	key_handle: 0x00000524 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620762731.811563 RegSetValueExW	key_handle: 0x00000524 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620762731.811563 RegSetValueExA	key_handle: 0x00000540 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620762731.811563 RegSetValueExA	key_handle: 0x00000540 value: p`F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620762731.811563 RegSetValueExA	key_handle: 0x00000540 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1620762731.842563 RegSetValueExW	key_handle: 0x00000520 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success
1620762756.154563 RegSetValueExA	key_handle: 0x00000794 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620762756.154563 RegSetValueExA	key_handle: 0x00000794 value: 0ü§F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620762756.154563 RegSetValueExA	key_handle: 0x00000794 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620762756.154563 RegSetValueExW	key_handle: 0x00000794 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620762756.154563 RegSetValueExA	key_handle: 0x0000058c value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620762756.154563 RegSetValueExA	key_handle: 0x0000058c value: 0ü§F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620762756.154563 RegSetValueExA	key_handle: 0x0000058c value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success

Generates some ICMP traffic

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.78:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2012-02-19 23:01:49

Imports

Library ADVAPI32.dll:

• 0x429340 RegCloseKey

• 0x429344 RegCreateKeyExA

• 0x429348 RegDeleteKeyA

• 0x42934c RegDeleteValueA

• 0x429350 RegEnumKeyA

• 0x429354 RegEnumValueA

• 0x429358 RegOpenKeyExA

• 0x42935c RegQueryValueExA

• 0x429360 RegSetValueExA

Library COMCTL32.DLL:

• 0x429368 ImageList_AddMasked

• 0x42936c ImageList_Create

• 0x429370 ImageList_Destroy

• 0x429374 InitCommonControls

Library GDI32.dll:

• 0x42937c CreateBrushIndirect

• 0x429380 CreateFontIndirectA

• 0x429384 DeleteObject

• 0x429388 GetDeviceCaps

• 0x42938c SelectObject

• 0x429390 SetBkColor

• 0x429394 SetBkMode

• 0x429398 SetTextColor

Library KERNEL32.dll:

• 0x4293a0 CloseHandle

• 0x4293a4 CompareFileTime

• 0x4293a8 CopyFileA

• 0x4293ac CreateDirectoryA

• 0x4293b0 CreateFileA

• 0x4293b4 CreateProcessA

• 0x4293b8 CreateThread

• 0x4293bc DeleteFileA

• 0x4293c0 ExitProcess

• 0x4293c4 ExpandEnvironmentStringsA

• 0x4293c8 FindClose

• 0x4293cc FindFirstFileA

• 0x4293d0 FindNextFileA

• 0x4293d4 FreeLibrary

• 0x4293d8 GetCommandLineA

• 0x4293dc GetCurrentProcess

• 0x4293e0 GetDiskFreeSpaceA

• 0x4293e4 GetExitCodeProcess

• 0x4293e8 GetFileAttributesA

• 0x4293ec GetFileSize

• 0x4293f0 GetFullPathNameA

• 0x4293f4 GetLastError

• 0x4293f8 GetModuleFileNameA

• 0x4293fc GetModuleHandleA

• 0x429400 GetPrivateProfileStringA

• 0x429404 GetProcAddress

• 0x429408 GetShortPathNameA

• 0x42940c GetSystemDirectoryA

• 0x429410 GetTempFileNameA

• 0x429414 GetTempPathA

• 0x429418 GetTickCount

• 0x42941c GetVersion

• 0x429420 GetWindowsDirectoryA

• 0x429424 GlobalAlloc

• 0x429428 GlobalFree

• 0x42942c GlobalLock

• 0x429430 GlobalUnlock

• 0x429434 LoadLibraryA

• 0x429438 LoadLibraryExA

• 0x42943c MoveFileA

• 0x429440 MulDiv

• 0x429444 MultiByteToWideChar

• 0x429448 ReadFile

• 0x42944c RemoveDirectoryA

• 0x429450 SearchPathA

• 0x429454 SetCurrentDirectoryA

• 0x429458 SetErrorMode

• 0x42945c SetFileAttributesA

• 0x429460 SetFilePointer

• 0x429464 SetFileTime

• 0x429468 Sleep

• 0x42946c WaitForSingleObject

• 0x429470 WriteFile

• 0x429474 WritePrivateProfileStringA

• 0x429478 lstrcatA

• 0x42947c lstrcmpA

• 0x429480 lstrcmpiA

• 0x429484 lstrcpynA

• 0x429488 lstrlenA

Library ole32.dll:

• 0x429490 CoCreateInstance

• 0x429494 CoTaskMemFree

• 0x429498 OleInitialize

• 0x42949c OleUninitialize

Library SHELL32.DLL:

• 0x4294a4 SHBrowseForFolderA

• 0x4294a8 SHFileOperationA

• 0x4294ac SHGetFileInfoA

• 0x4294b0 SHGetPathFromIDListA

• 0x4294b4 SHGetSpecialFolderLocation

• 0x4294b8 ShellExecuteA

Library USER32.dll:

• 0x4294c0 AppendMenuA

• 0x4294c4 BeginPaint

• 0x4294c8 CallWindowProcA

• 0x4294cc CharNextA

• 0x4294d0 CharPrevA

• 0x4294d4 CheckDlgButton

• 0x4294d8 CloseClipboard

• 0x4294dc CreateDialogParamA

• 0x4294e0 CreatePopupMenu

• 0x4294e4 CreateWindowExA

• 0x4294e8 DefWindowProcA

• 0x4294ec DestroyWindow

• 0x4294f0 DialogBoxParamA

• 0x4294f4 DispatchMessageA

• 0x4294f8 DrawTextA

• 0x4294fc EmptyClipboard

• 0x429500 EnableMenuItem

• 0x429504 EnableWindow

• 0x429508 EndDialog

• 0x42950c EndPaint

• 0x429510 ExitWindowsEx

• 0x429514 FillRect

• 0x429518 FindWindowExA

• 0x42951c GetClassInfoA

• 0x429520 GetClientRect

• 0x429524 GetDC

• 0x429528 GetDlgItem

• 0x42952c GetDlgItemTextA

• 0x429530 GetMessagePos

• 0x429534 GetSysColor

• 0x429538 GetSystemMenu

• 0x42953c GetSystemMetrics

• 0x429540 GetWindowLongA

• 0x429544 GetWindowRect

• 0x429548 InvalidateRect

• 0x42954c IsWindow

• 0x429550 IsWindowEnabled

• 0x429554 IsWindowVisible

• 0x429558 LoadBitmapA

• 0x42955c LoadCursorA

• 0x429560 LoadImageA

• 0x429564 MessageBoxIndirectA

• 0x429568 OpenClipboard

• 0x42956c PeekMessageA

• 0x429570 PostQuitMessage

• 0x429574 RegisterClassA

• 0x429578 ScreenToClient

• 0x42957c SendMessageA

• 0x429580 SendMessageTimeoutA

• 0x429584 SetClassLongA

• 0x429588 SetClipboardData

• 0x42958c SetCursor

• 0x429590 SetDlgItemTextA

• 0x429594 SetForegroundWindow

• 0x429598 SetTimer

• 0x42959c SetWindowLongA

• 0x4295a0 SetWindowPos

• 0x4295a4 SetWindowTextA

• 0x4295a8 ShowWindow

• 0x4295ac SystemParametersInfoA

• 0x4295b0 TrackPopupMenu

• 0x4295b4 wsprintfA

Library VERSION.dll:

• 0x4295bc GetFileVersionInfoA

• 0x4295c0 GetFileVersionInfoSizeA

• 0x4295c4 VerQueryValueA

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
ocsp.sectigo.com	A 151.139.128.14	151.139.128.14
ocsp.comodoca.com	A 151.139.128.14	151.139.128.14
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
cache.download.titen-poker.com	CNAME cache.download.titen-poker.com.z2.ptcdn4.com A 104.17.38.25 A 104.17.37.25	104.17.38.25
t8u4n6u7.ssl.hwcdn.net	A 205.185.208.154	205.185.208.154
c6m7w2m9.ssl.hwcdn.net	A 205.185.208.154	205.185.208.154
fallback.playtech-installer.com	CNAME s3-website-eu-west-1.amazonaws.com CNAME pt-installer.s3-website-eu-west-1.amazonaws.com A 52.218.29.228	52.218.85.76
clients2.google.com	A 172.217.160.78 CNAME clients.l.google.com	142.250.66.110
crl.usertrust.com	A 151.139.128.14	151.139.128.14
ocsp.usertrust.com	A 151.139.128.14	151.139.128.14
www.download.windowsupdate.com	A 124.225.105.97 CNAME 2-01-3cf7-0009.cdx.cedexis.net CNAME www.download.windowsupdate.com.cdn.dnsv1.com CNAME windowsupdate.sched.s11.tdnsv5.com CNAME 3573033.pack.cdntip.com CNAME wu-fg-shim.trafficmanager.net	36.25.252.1
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49199	104.17.37.25 cache.download.titen-poker.com	80
192.168.56.101	49185	124.225.105.97 www.download.windowsupdate.com	80
192.168.56.101	49186	151.139.128.14 ocsp.usertrust.com	80
192.168.56.101	49187	151.139.128.14 ocsp.usertrust.com	80
192.168.56.101	49189	151.139.128.14 ocsp.usertrust.com	80
192.168.56.101	49192	151.139.128.14 ocsp.usertrust.com	80
192.168.56.101	49193	151.139.128.14 ocsp.usertrust.com	80
192.168.56.101	49183	205.185.208.154 c6m7w2m9.ssl.hwcdn.net	443
192.168.56.101	49184	205.185.208.154 c6m7w2m9.ssl.hwcdn.net	443
192.168.56.101	49190	205.185.208.154 c6m7w2m9.ssl.hwcdn.net	443
192.168.56.101	49195	205.185.208.154 c6m7w2m9.ssl.hwcdn.net	443
192.168.56.101	49198	205.185.208.154 c6m7w2m9.ssl.hwcdn.net	443
192.168.56.101	49200	205.185.208.154 c6m7w2m9.ssl.hwcdn.net	443
192.168.56.101	49202	205.185.208.154 c6m7w2m9.ssl.hwcdn.net	443
192.168.56.101	49204	205.185.208.154 c6m7w2m9.ssl.hwcdn.net	443
192.168.56.101	49206	205.185.208.154 c6m7w2m9.ssl.hwcdn.net	443
192.168.56.101	49191	52.218.29.228 fallback.playtech-installer.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	50849	114.114.114.114	53
192.168.56.101	53210	114.114.114.114	53
192.168.56.101	53500	114.114.114.114	53
192.168.56.101	55331	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	57236	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	59291	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	62516	114.114.114.114	53
192.168.56.101	63921	114.114.114.114	53
192.168.56.101	64325	114.114.114.114	53
192.168.56.101	64877	114.114.114.114	53
192.168.56.101	65209	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49710	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1 Cache-Control: max-age = 3600 Connection: Keep-Alive Accept: / If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT If-None-Match: "0d8f4f3f6fd71:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: www.download.windowsupdate.com
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.usertrust.com
http://cache.download.titen-poker.com/download/poker/20.7.6.7/casino[en].cab	GET /download/poker/20.7.6.7/casino[en].cab HTTP/1.1 Accept: / C: \Users\Administrator.Oskar-PC\AppData\Local\Temp\7E445B4025204A1B8523E0412B43BF52\pack.cab User-Agent: Playtech WinClient Downloader/1.0 Host: cache.download.titen-poker.com Connection: Keep-Alive Cache-Control: no-cache
http://fallback.playtech-installer.com/playtech_compressed_assets/titan_poker/index.7ze	GET /playtech_compressed_assets/titan_poker/index.7ze HTTP/1.1 Accept: / C: \Users\Administrator.Oskar-PC\AppData\Local\Temp\7E445B4025204A1B8523E0412B43BF52\index.7ze User-Agent: Playtech WinClient Downloader/1.0 Host: fallback.playtech-installer.com Connection: Keep-Alive Cache-Control: no-cache
http://fallback.playtech-installer.com/playtech_compressed_assets/titan_poker/templates/installer/new_feb_17.7ze	GET /playtech_compressed_assets/titan_poker/templates/installer/new_feb_17.7ze HTTP/1.1 Accept: / C: \Users\Administrator.Oskar-PC\AppData\Local\Temp\7E445B4025204A1B8523E0412B43BF52\new_feb_17 (1).7z User-Agent: Playtech WinClient Downloader/1.0 Host: fallback.playtech-installer.com Connection: Keep-Alive Cache-Control: no-cache
http://cache.download.titen-poker.com/download/poker/client_update_urls.php	GET /download/poker/client_update_urls.php HTTP/1.1 Accept: / User-Agent: Playtech WinClient Downloader/1.0 Host: cache.download.titen-poker.com Connection: Keep-Alive Cache-Control: no-cache
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.comodoca.com
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEHSfdSPcp6pyLdnEz5lZ6ec%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEHSfdSPcp6pyLdnEz5lZ6ec%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.sectigo.com
http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl	GET /USERTrustRSACertificationAuthority.crl HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: crl.usertrust.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.