17.2
0-day
60 个模型检测该样本为恶意!
重新分析
更多

870d16eb412c190d404ea3239d9d21339918f55dd3bfa92fe072a92cdfd30144

698c433b3956610e9e885156d47fb58f.exe

分析耗时

111s

最近分析

文件大小

1.5MB
静态报毒 动态报毒 5VN07DYBTSY ADRFD AI SCORE=85 AIDETECTVM AUTOG B@72ARJ8 BSCOPE CLASSIC CONFIDENCE CPLN DOWNLOADER23 EGPTGE ELDORADO FIVIY GENASA GENCIRC GENERICKD GENERICRXDM GENETIC HEBCHENGJIU HIGH CONFIDENCE IR1@AO@MUGOB KCLOUD KRYPTIK MALICIOUS PE MALWARE1 MAUVAISE MIKEY MXRESICN PUPSTUDIO QVM07 SCORE SGENERIC STATIC AI SYMMI TONMYE UNSAFE UPATRE ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba TrojanDownloader:Win32/AdLoad.e726f474 20190527 0.3.0.5
Avast Win32:Malware-gen 20201210 21.1.5827.0
Tencent Malware.Win32.Gencirc.10b6dedc 20201211 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft Win32.Troj.Undef.(kcloud) 20201211 2017.9.26.565
McAfee GenericRXDM-NN!698C433B3956 20201211 6.0.6.653
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1619610588.919813
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619610589.966813
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (27 个事件)
Time & API Arguments Status Return Repeated
1619610172.212044
IsDebuggerPresent
failed 0 0
1619610179.277352
IsDebuggerPresent
failed 0 0
1619610179.433352
IsDebuggerPresent
failed 0 0
1619610189.386352
IsDebuggerPresent
failed 0 0
1619610189.449352
IsDebuggerPresent
failed 0 0
1619610189.495352
IsDebuggerPresent
failed 0 0
1619610189.636352
IsDebuggerPresent
failed 0 0
1619610189.730352
IsDebuggerPresent
failed 0 0
1619610189.808352
IsDebuggerPresent
failed 0 0
1619610189.839352
IsDebuggerPresent
failed 0 0
1619610190.042352
IsDebuggerPresent
failed 0 0
1619610190.136352
IsDebuggerPresent
failed 0 0
1619610193.605352
IsDebuggerPresent
failed 0 0
1619610196.261352
IsDebuggerPresent
failed 0 0
1619610203.355352
IsDebuggerPresent
failed 0 0
1619610204.308352
IsDebuggerPresent
failed 0 0
1619610204.308352
IsDebuggerPresent
failed 0 0
1619610204.480352
IsDebuggerPresent
failed 0 0
1619610207.230352
IsDebuggerPresent
failed 0 0
1619610209.511352
IsDebuggerPresent
failed 0 0
1619610211.495352
IsDebuggerPresent
failed 0 0
1619610213.808352
IsDebuggerPresent
failed 0 0
1619610214.245352
IsDebuggerPresent
failed 0 0
1619610220.136352
IsDebuggerPresent
failed 0 0
1619610175.178472
IsDebuggerPresent
failed 0 0
1619610175.193472
IsDebuggerPresent
failed 0 0
1619610175.209472
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
Tries to locate where the browsers are installed (2 个事件)
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.dll
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\installlocation
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619610589.372813
GlobalMemoryStatusEx
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619610227.761352
__exception__
stacktrace: 
0x982e04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

registers.r14: 2205099134464
registers.r9: 0
registers.rcx: 1344
registers.rsi: -6148914691236517206
registers.r10: 0
registers.rbx: 278588208
registers.rdi: 17302540
registers.r11: 278592128
registers.r8: 2009563532
registers.rdx: 1412
registers.rbp: 278588064
registers.r15: 278588568
registers.r12: 278588968
registers.rsp: 278587928
registers.rax: 9973248
registers.r13: 2205100081152
exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 a3 77
exception.instruction: call qword ptr [rip + 0x91f16]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x982e04
success 0 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:491689989&cup2hreq=44bde98144d9bf3c03d7cdb79688c0f01bcacd041e62fd014ac6d05de2b3d21d
Performs some HTTP requests (8 个事件)
request GET http://repository.certum.pl/ca.cer
request GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request GET http://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w%2FsCEQCTkoVAAWVxX5R%2FKI%2FvyZso
request GET http://subca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEAXtiNgIjRHr3dYjljy67UI%3D
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619581936&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=963a75aab6152a7d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619581936&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:491689989&cup2hreq=44bde98144d9bf3c03d7cdb79688c0f01bcacd041e62fd014ac6d05de2b3d21d
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:491689989&cup2hreq=44bde98144d9bf3c03d7cdb79688c0f01bcacd041e62fd014ac6d05de2b3d21d
An application raised an exception which may be indicative of an exploit crash (2 个事件)
Application Crash Process chrome.exe with pid 3088 crashed
Time & API Arguments Status Return Repeated
1619610227.761352
__exception__
stacktrace: 
0x982e04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

registers.r14: 2205099134464
registers.r9: 0
registers.rcx: 1344
registers.rsi: -6148914691236517206
registers.r10: 0
registers.rbx: 278588208
registers.rdi: 17302540
registers.r11: 278592128
registers.r8: 2009563532
registers.rdx: 1412
registers.rbp: 278588064
registers.r15: 278588568
registers.r12: 278588968
registers.rsp: 278587928
registers.rax: 9973248
registers.r13: 2205100081152
exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 a3 77
exception.instruction: call qword ptr [rip + 0x91f16]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x982e04
success 0 0
Steals private information from local Internet browsers (25 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\First Run
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-60893489-C10.pma
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF15da21a.TMP
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Last Version
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Policy\User Policy
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Preferences
Foreign language identified in PE resource (6 个事件)
name RT_ICON language LANG_CHINESE offset 0x001987e0 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x001987e0 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x001987e0 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_GROUP_ICON language LANG_CHINESE offset 0x00198c48 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000030
name RT_VERSION language LANG_CHINESE offset 0x00198c78 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000023c
name RT_MANIFEST language LANG_CHINESE offset 0x00198eb4 filetype XML 1.0 document, ASCII text, with CRLF line terminators sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000022e
Creates executable files on the filesystem (23 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\ldsajdklsajdlkjsalkda.bat
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\172460.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\202164.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\986136.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8644469666.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\971094.exe
file C:\Program Files (x86)\DouTu\DouTuDaShi.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\218566.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\538024.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\563340.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\kbnrur.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\579961.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\087470.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\953364.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\783307.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\397077.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\264268.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\316758.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\007976.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\941338.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\718399.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\272692.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\667689.exe
Drops a binary and executes it (20 个事件)
file C:\Program Files (x86)\DouTu\DouTuDaShi.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\563340.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\272692.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\316758.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\538024.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\172460.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\971094.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\007976.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\941338.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\718399.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\397077.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\953364.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\202164.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\579961.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\783307.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\986136.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\218566.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\087470.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\264268.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\667689.exe
Drops an executable to the user AppData folder (21 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\316758.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\718399.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\397077.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\698c433b3956610e9e885156d47fb58f.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\087470.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\563340.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\986136.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\272692.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\538024.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\264268.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\941338.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\783307.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\202164.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\218566.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\8644469666.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\172460.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\579961.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\667689.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\953364.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\007976.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\971094.exe
A process created a hidden window (41 个事件)
Time & API Arguments Status Return Repeated
1619610593.044813
ShellExecuteExW
parameters: /jscxyxztjkl
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\kbnrur.exe
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\\kbnrur.exe
show_type: 0
success 1 0
1619610597.591813
ShellExecuteExW
parameters:
filepath: http://hao.360.cn/?src=lm&ls=n6abbbb598c
filepath_r: http://hao.360.cn/?src=lm&ls=n6abbbb598c
show_type: 0
success 1 0
1619610597.591813
ShellExecuteExW
parameters:
filepath: http://hao.360.cn/?src=lm&ls=n6abbbb598c
filepath_r: http://hao.360.cn/?src=lm&ls=n6abbbb598c
show_type: 0
success 1 0
1619610593.832311
ShellExecuteExW
parameters: /jsjczxztcq
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\kbnrur.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\kbnrur.exe
show_type: 0
success 1 0
1619610609.5935
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\563340.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\563340.exe
show_type: 0
success 1 0
1619610612.6405
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\272692.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\272692.exe
show_type: 0
success 1 0
1619610615.6875
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\316758.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\316758.exe
show_type: 0
success 1 0
1619610618.7975
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\538024.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\538024.exe
show_type: 0
success 1 0
1619610621.8285
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\172460.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\172460.exe
show_type: 0
success 1 0
1619610624.9065
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\971094.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\971094.exe
show_type: 0
success 1 0
1619610628.6875
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\007976.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\007976.exe
show_type: 0
success 1 0
1619610631.8285
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\941338.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\941338.exe
show_type: 0
success 1 0
1619610635.1255
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\718399.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\718399.exe
show_type: 0
success 1 0
1619610638.6875
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\397077.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\397077.exe
show_type: 0
success 1 0
1619610641.8125
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\953364.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\953364.exe
show_type: 0
success 1 0
1619610644.8755
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\202164.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\202164.exe
show_type: 0
success 1 0
1619610647.9685
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\579961.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\579961.exe
show_type: 0
success 1 0
1619610651.6095
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\783307.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\783307.exe
show_type: 0
success 1 0
1619610654.8755
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\986136.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\986136.exe
show_type: 0
success 1 0
1619610658.4845
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\218566.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\218566.exe
show_type: 0
success 1 0
1619610661.5475
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\087470.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\087470.exe
show_type: 0
success 1 0
1619610664.8435
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\264268.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\264268.exe
show_type: 0
success 1 0
1619610668.1725
ShellExecuteExW
parameters: /Shorttailedrestart
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\667689.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\667689.exe
show_type: 0
success 1 0
1619610613.021237
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\563340.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\563340.exe
show_type: 0
success 1 0
1619610617.12841
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\272692.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\272692.exe
show_type: 0
success 1 0
1619610621.152786
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\316758.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\316758.exe
show_type: 0
success 1 0
1619610625.610581
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\538024.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\538024.exe
show_type: 0
success 1 0
1619610629.978727
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\172460.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\172460.exe
show_type: 0
success 1 0
1619610634.523008
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\971094.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\971094.exe
show_type: 0
success 1 0
1619610640.074503
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\007976.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\007976.exe
show_type: 0
success 1 0
1619610644.847442
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\941338.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\941338.exe
show_type: 0
success 1 0
1619610649.738316
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\718399.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\718399.exe
show_type: 0
success 1 0
1619610655.082066
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\397077.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\397077.exe
show_type: 0
success 1 0
1619610659.886753
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\953364.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\953364.exe
show_type: 0
success 1 0
1619610664.457317
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\202164.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\202164.exe
show_type: 0
success 1 0
1619610669.23038
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\579961.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\579961.exe
show_type: 0
success 1 0
1619610674.667628
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\783307.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\783307.exe
show_type: 0
success 1 0
1619610679.394317
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\986136.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\986136.exe
show_type: 0
success 1 0
1619610684.80838
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\218566.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\218566.exe
show_type: 0
success 1 0
1619610689.402128
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\087470.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\087470.exe
show_type: 0
success 1 0
1619610694.347442
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\264268.exe
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Download\264268.exe
show_type: 0
success 1 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (32 个事件)
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619610592.247813
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 6.873287110337098 section {'size_of_data': '0x00128000', 'virtual_address': '0x0005d000', 'entropy': 6.873287110337098, 'name': '.data', 'virtual_size': '0x00137818'} description A section with a high entropy has been found
entropy 0.7531806615776081 description Overall entropy of this PE file is high
Repeatedly searches for a not-found process, you may want to run a web browser during analysis (27 个事件)
Time & API Arguments Status Return Repeated
1619610591.153813
Process32NextW
process_name: DouTuDaShi.exe
snapshot_handle: 0x00000218
process_identifier: 2136
failed 0 0
1619610591.169813
Process32NextW
process_name: Doﭨọ矚梎7￾￿㲣矖㳎矖Ὸ
snapshot_handle: 0x0000022c
process_identifier: 7572864
failed 0 0
1619610591.169813
Process32NextW
process_name: DouTuDaShi.exe
snapshot_handle: 0x00000218
process_identifier: 2136
failed 0 0
1619610591.169813
Process32NextW
process_name: DouTuDaShi.exe
snapshot_handle: 0x0000022c
process_identifier: 2136
failed 0 0
1619610597.2975
Process32NextW
process_name: inject-x86.exe
snapshot_handle: 0x000000bc
process_identifier: 2272
failed 0 0
1619610600.2975
Process32NextW
process_name: ⌰ጀ陨g
snapshot_handle: 0x000000c4
process_identifier: 6752616
failed 0 0
1619610603.4065
Process32NextW
process_name: conhost.exe
snapshot_handle: 0x000000bc
process_identifier: 3268
failed 0 0
1619610606.4065
Process32NextW
process_name: inject-x64.exe
snapshot_handle: 0x000000c4
process_identifier: 3408
failed 0 0
1619610609.4065
Process32NextW
process_name: explorer.exe
snapshot_handle: 0x000000bc
process_identifier: 3328
failed 0 0
1619610612.5935
Process32NextW
process_name:
snapshot_handle: 0x00000224
process_identifier: 4294967294
failed 0 0
1619610615.6405
Process32NextW
process_name:
snapshot_handle: 0x00000228
process_identifier: 4294967294
failed 0 0
1619610618.6875
Process32NextW
process_name:
snapshot_handle: 0x00000230
process_identifier: 3328
failed 0 0
1619610621.7975
Process32NextW
process_name:
snapshot_handle: 0x00000230
process_identifier: 3328
failed 0 0
1619610624.8285
Process32NextW
process_name:
snapshot_handle: 0x00000230
process_identifier: 3328
failed 0 0
1619610627.9065
Process32NextW
process_name:
snapshot_handle: 0x00000230
process_identifier: 3328
failed 0 0
1619610631.6875
Process32NextW
process_name:
snapshot_handle: 0x00000230
process_identifier: 3328
failed 0 0
1619610634.8285
Process32NextW
process_name:
snapshot_handle: 0x00000230
process_identifier: 3328
failed 0 0
1619610638.1255
Process32NextW
process_name:
snapshot_handle: 0x00000230
process_identifier: 4294967294
failed 0 0
1619610641.7035
Process32NextW
process_name: mscorsvw.exe
snapshot_handle: 0x0000022c
process_identifier: 3652
failed 0 0
1619610644.8125
Process32NextW
process_name: sppsvc.exe
snapshot_handle: 0x0000022c
process_identifier: 2036
failed 0 0
1619610647.8755
Process32NextW
process_name: ⏐k
snapshot_handle: 0x0000022c
process_identifier: 3712
failed 0 0
1619610650.9685
Process32NextW
process_name:
snapshot_handle: 0x0000022c
process_identifier: 4294967294
failed 0 0
1619610654.6255
Process32NextW
process_name:
snapshot_handle: 0x0000022c
process_identifier: 3424
failed 0 0
1619610657.8755
Process32NextW
process_name: j
snapshot_handle: 0x0000022c
process_identifier: 4460
failed 0 0
1619610661.4845
Process32NextW
process_name: j
snapshot_handle: 0x0000022c
process_identifier: 4460
failed 0 0
1619610664.5475
Process32NextW
process_name:
snapshot_handle: 0x0000022c
process_identifier: 4294967294
failed 0 0
1619610667.8435
Process32NextW
process_name:
snapshot_handle: 0x0000022c
process_identifier: 4396
failed 0 0
Queries for potentially installed applications (19 个事件)
Time & API Arguments Status Return Repeated
1619610597.075813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\
options: 0
success 0 0
1619610597.075813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
options: 0
success 0 0
1619610597.075813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
options: 0
success 0 0
1619610597.075813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
options: 0
success 0 0
1619610597.075813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
options: 0
success 0 0
1619610597.075813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
options: 0
success 0 0
1619610597.075813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
options: 0
success 0 0
1619610597.075813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
options: 0
success 0 0
1619610597.075813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
options: 0
success 0 0
1619610597.075813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall
options: 0
success 0 0
1619610597.075813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
options: 0
success 0 0
1619610597.091813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
options: 0
success 0 0
1619610597.091813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE40
options: 0
success 0 0
1619610597.091813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
options: 0
success 0 0
1619610597.091813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
options: 0
success 0 0
1619610597.091813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\IEData
options: 0
success 0 0
1619610597.091813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
options: 0
success 0 0
1619610597.091813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
options: 0
success 0 0
1619610597.091813
RegOpenKeyExA
access: 0x02000000
base_handle: 0x80000002
key_handle: 0x000004e0
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\WIC
options: 0
success 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Attempts to modify browser security settings (1 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\DouTuDaShi.exe
Disables proxy possibly for traffic interception (1 个事件)
Time & API Arguments Status Return Repeated
1619610595.532937
RegSetValueExA
key_handle: 0x00000308
value: 0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
success 0 0
Queries information on disks, possibly for anti-virtualization (2 个事件)
Time & API Arguments Status Return Repeated
1619610591.185813
NtCreateFile
create_disposition: 1 (FILE_OPEN)
file_handle: 0x0000022c
filepath: \??\PhysicalDrive0
desired_access: 0x00100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE)
file_attributes: 0 ()
filepath_r: \??\PhysicalDrive0
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 0 (FILE_SUPERSEDED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
success 0 0
1619610591.185813
DeviceIoControl
input_buffer:
device_handle: 0x0000022c
control_code: 2954240 ()
output_buffer:
success 1 0
Collects information about installed applications (2 个事件)
Time & API Arguments Status Return Repeated
1619610597.075813
RegQueryValueExA
key_handle: 0x000004e0
value: Google Chrome
regkey_r: displayname
reg_type: 1 (REG_SZ)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\displayname
success 0 0
1619610597.075813
RegQueryValueExA
key_handle: 0x000004e0
value: Google Chrome
regkey_r: displayname
reg_type: 1 (REG_SZ)
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\displayname
success 0 0
Attempts to create or modify system certificates (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\6252DC40F71143A22FDE9EF7348E064251B18118\Blob
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619610595.075813
RegSetValueExA
key_handle: 0x00000438
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619610595.075813
RegSetValueExA
key_handle: 0x00000438
value: ðëO£<×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619610595.075813
RegSetValueExA
key_handle: 0x00000438
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619610595.075813
RegSetValueExW
key_handle: 0x00000438
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619610595.075813
RegSetValueExA
key_handle: 0x000002d0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619610595.075813
RegSetValueExA
key_handle: 0x000002d0
value: ðëO£<×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619610595.091813
RegSetValueExA
key_handle: 0x000002d0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619610595.107813
RegSetValueExW
key_handle: 0x00000434
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Network activity contains more than one unique useragent (2 个事件)
process 698c433b3956610e9e885156d47fb58f.exe useragent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
process DouTuDaShi.exe useragent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2016-08-17 16:34:04

Imports

Library KERNEL32.dll:
0x45b02c CreateThread
0x45b030 WaitForSingleObject
0x45b034 TerminateThread
0x45b038 CloseHandle
0x45b03c OpenProcess
0x45b040 WideCharToMultiByte
0x45b044 GetModuleHandleA
0x45b048 ExitProcess
0x45b04c HeapReAlloc
0x45b050 IsBadReadPtr
0x45b054 GetCommandLineA
0x45b058 GetModuleFileNameA
0x45b05c ReadFile
0x45b060 GetFileSize
0x45b068 GetLocalTime
0x45b06c WriteFile
0x45b070 GetTickCount
0x45b078 DeleteFileA
0x45b080 FindClose
0x45b084 FindNextFileA
0x45b088 RemoveDirectoryA
0x45b08c FindFirstFileA
0x45b090 MultiByteToWideChar
0x45b094 GetUserDefaultLCID
0x45b098 SetFilePointer
0x45b09c SetEndOfFile
0x45b0a0 LCMapStringA
0x45b0a4 FreeLibrary
0x45b0a8 GetProcAddress
0x45b0ac LoadLibraryA
0x45b0b0 FlushFileBuffers
0x45b0b4 SetStdHandle
0x45b0b8 IsBadCodePtr
0x45b0c0 CreateFileA
0x45b0c4 GetStringTypeA
0x45b0c8 HeapFree
0x45b0cc HeapAlloc
0x45b0d0 GetProcessHeap
0x45b0d8 RtlMoveMemory
0x45b0dc lstrcpyn
0x45b0e0 SetWaitableTimer
0x45b0e8 Process32Next
0x45b0ec Process32First
0x45b0f4 GetOEMCP
0x45b0f8 GetACP
0x45b0fc GetCPInfo
0x45b100 IsBadWritePtr
0x45b104 VirtualAlloc
0x45b108 RaiseException
0x45b10c LCMapStringW
0x45b11c VirtualFree
0x45b120 HeapCreate
0x45b124 HeapDestroy
0x45b128 GetVersionExA
0x45b12c GetLastError
0x45b130 TlsGetValue
0x45b134 SetLastError
0x45b138 TlsAlloc
0x45b13c TlsSetValue
0x45b140 GetCurrentThreadId
0x45b148 GetFileType
0x45b14c GetStdHandle
0x45b150 SetHandleCount
0x45b168 GetCurrentProcess
0x45b16c TerminateProcess
0x45b170 RtlUnwind
0x45b17c GetVersion
0x45b180 GetStartupInfoA
0x45b184 MoveFileA
0x45b188 GetStringTypeW
0x45b18c CreateDirectoryA
Library SHLWAPI.dll:
0x45b208 PathMatchSpecA
0x45b20c PathFileExistsA
0x45b210 PathIsDirectoryA
Library urlmon.dll:
0x45b28c URLDownloadToFileA
Library SHELL32.dll:
0x45b1f8 SHGetPathFromIDList
0x45b200 ShellExecuteA
Library ADVAPI32.dll:
0x45b000 RegCloseKey
0x45b004 CryptCreateHash
0x45b008 RegQueryValueExA
0x45b00c RegEnumKeyA
0x45b010 RegOpenKeyA
0x45b018 CryptGetHashParam
0x45b01c CryptDestroyHash
0x45b020 CryptHashData
0x45b024 CryptReleaseContext
Library USER32.dll:
0x45b218 TranslateMessage
0x45b21c DispatchMessageA
0x45b220 MessageBoxA
0x45b224 wsprintfA
0x45b228 PeekMessageA
0x45b22c CallWindowProcA
0x45b238 wvsprintfA
0x45b23c GetMessageA
Library ole32.dll:
0x45b270 CoUninitialize
0x45b274 OleRun
0x45b278 CoCreateInstance
0x45b27c CoInitialize
0x45b280 CLSIDFromString
0x45b284 CLSIDFromProgID
Library WININET.dll:
0x45b244 InternetCloseHandle
0x45b248 InternetOpenA
0x45b24c HttpOpenRequestA
0x45b254 HttpSendRequestA
0x45b258 InternetReadFile
0x45b25c HttpQueryInfoA
0x45b260 InternetSetCookieA
0x45b264 InternetOpenUrlA
0x45b268 InternetConnectA
Library PSAPI.DLL:
0x45b1f0 EnumProcesses
Library OLEAUT32.dll:
0x45b194 SafeArrayGetLBound
0x45b198 SafeArrayGetDim
0x45b19c VariantCopy
0x45b1a0 SafeArrayAllocData
0x45b1a8 VariantInit
0x45b1ac VariantChangeType
0x45b1b4 SafeArrayGetUBound
0x45b1b8 SafeArrayAccessData
0x45b1c4 SysFreeString
0x45b1c8 VarR8FromCy
0x45b1cc VarR8FromBool
0x45b1d0 LoadTypeLib
0x45b1d4 LHashValOfNameSys
0x45b1d8 RegisterTypeLib
0x45b1dc SafeArrayCreate
0x45b1e0 SysAllocString
0x45b1e4 VariantClear
0x45b1e8 SafeArrayDestroy

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49283 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49284 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49197 117.21.217.1 www.download.windowsupdate.com 80
192.168.56.101 49179 180.163.237.212 hao.360.cn 443
192.168.56.101 49266 203.208.41.34 update.googleapis.com 443
192.168.56.101 49282 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49206 23.33.95.40 subca.ocsp-certum.com 80
192.168.56.101 49183 23.33.95.41 repository.certum.pl 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50320 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51660 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 55331 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 62144 114.114.114.114 53
192.168.56.101 62191 114.114.114.114 53
192.168.56.101 62502 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50047 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
http://subca.ocsp-certum.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEAXtiNgIjRHr3dYjljy67UI%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTYOkzrrCGQj08njZXbUQQpkoUmuQQUCHbNywf%2FJPbFze27kLzihDdGdfcCEAXtiNgIjRHr3dYjljy67UI%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: subca.ocsp-certum.com
http://subca.ocsp-certum.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w%2FsCEQCTkoVAAWVxX5R%2FKI%2FvyZso 
GET /MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR5iK7tYk9tqQEoeQhZNkKcAol9bgQUjEPEy22YwaechGnr30oNYJY6w%2FsCEQCTkoVAAWVxX5R%2FKI%2FvyZso HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: subca.ocsp-certum.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://repository.certum.pl/ca.cer 
GET /ca.cer HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: repository.certum.pl
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=963a75aab6152a7d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619581936&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=963a75aab6152a7d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619581936&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619581936&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619581936&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.