12.4
0-day
1 个模型检测该样本为恶意!
重新分析
更多

8d5959c7ae7f84be1486ee35de5db7534104b05075aeb9150115cbe2459df9de

6cd807a30707df168f0edfe8e3429cda.exe

分析耗时

133s

最近分析

文件大小

6.9MB
静态报毒 动态报毒 BROWSEFOXCRTD
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
CrowdStrike 20190212 1.0
Alibaba 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast 20190722 18.4.3895.0
Tencent 20190722 1.0.0.1
Kingsoft 20190722 2013.8.14.323
McAfee 20190722 6.0.6.653
静态指标
Queries for the computername (50 out of 191 个事件)
Time & API Arguments Status Return Repeated
1620974826.539375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974831.851375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974833.679375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974834.867375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974805.085125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974809.132502
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974415.698146
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974415.917146
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974839.67875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974839.75675
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974839.75675
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974839.83475
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974839.83475
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974839.83475
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974874.36675
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974874.39775
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974874.45975
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974874.69475
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974874.77275
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974874.80375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974874.95975
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974875.02275
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974875.08475
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974875.41375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974875.47575
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974875.52275
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974875.63175
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974875.70975
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974875.74175
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974876.14775
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974876.17875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974876.25675
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974876.42875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974876.50675
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974876.55375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974876.72575
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974876.78875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974876.83475
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974876.99175
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974877.00675
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974877.00675
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974877.10075
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974877.13175
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974877.16375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974877.27275
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974877.39775
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974877.45975
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974877.60075
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974877.64775
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974877.66375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620974800.039625
IsDebuggerPresent
failed 0 0
Command line console output was observed (2 个事件)
Time & API Arguments Status Return Repeated
1620974805.664125
WriteConsoleW
buffer: 错误: 没有找到进程 "d6_6420.exe"。
console_handle: 0x0000000b
success 1 0
1620974809.304502
WriteConsoleW
buffer: 错误: 没有找到进程 "d6_6420_shell.exe"。
console_handle: 0x0000000b
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
This executable is signed
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620974803.710375
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .itext
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)
suspicious_features POST method with no referer header suspicious_request POST http://feeds2.d6communicator.com/v3/d6.php
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:1756305254&cup2hreq=7b7b70b332b1ea0e26a1436bc3e0e6216d687def12dec1db06f0c120e0da75ea
Performs some HTTP requests (4 个事件)
request POST http://feeds2.d6communicator.com/v3/d6.php
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620945620&mv=m&mvi=1&pl=23&shardbypass=yes
request POST https://update.googleapis.com/service/update2?cup2key=10:1756305254&cup2hreq=7b7b70b332b1ea0e26a1436bc3e0e6216d687def12dec1db06f0c120e0da75ea
Sends data using the HTTP POST Method (2 个事件)
request POST http://feeds2.d6communicator.com/v3/d6.php
request POST https://update.googleapis.com/service/update2?cup2key=10:1756305254&cup2hreq=7b7b70b332b1ea0e26a1436bc3e0e6216d687def12dec1db06f0c120e0da75ea
Allocates read-write-execute memory (usually to unpack itself) (6 个事件)
Time & API Arguments Status Return Repeated
1620974799.335625
NtProtectVirtualMemory
process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1620974799.335625
NtProtectVirtualMemory
process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 90112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1620974799.335625
NtProtectVirtualMemory
process_identifier: 2196
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 98304
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00420000
success 0 0
1620974801.023375
NtAllocateVirtualMemory
process_identifier: 1632
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00540000
success 0 0
1620974440.401146
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000007b80000
success 0 0
1620974884.585125
NtAllocateVirtualMemory
process_identifier: 1904
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ef0000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (14 个事件)
Time & API Arguments Status Return Repeated
1620974820.335375
GetDiskFreeSpaceExW
root_path: C:\Program Files (x86)\D6 Technology\d6_6420\
free_bytes_available: 155102521908988148
total_number_of_free_bytes: 0
total_number_of_bytes: 1729671688145551912
failed 0 0
1620974820.335375
GetDiskFreeSpaceExW
root_path: C:\Program Files (x86)\D6 Technology\
free_bytes_available: 155102521908988148
total_number_of_free_bytes: 0
total_number_of_bytes: 1729671688145551912
failed 0 0
1620974820.335375
GetDiskFreeSpaceExW
root_path: C:\Program Files (x86)\
free_bytes_available: 19606007808
total_number_of_free_bytes: 0
total_number_of_bytes: 34252779520
success 1 0
1620974418.698146
GetDiskFreeSpaceExW
root_path: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Explorer
free_bytes_available: 19396177920
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
1620974882.77275
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8362495
number_of_free_clusters: 8362495
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620974882.77275
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8362495
number_of_free_clusters: 8362495
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620974883.75675
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8362495
number_of_free_clusters: 8362495
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620974883.78875
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8362495
number_of_free_clusters: 8362495
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620974885.00675
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8362495
number_of_free_clusters: 8362495
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620974885.06975
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8362495
number_of_free_clusters: 8362495
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620974885.70975
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8362495
number_of_free_clusters: 8362495
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620974885.78875
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8362495
number_of_free_clusters: 8362495
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620974898.33475
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8362495
number_of_free_clusters: 8362495
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
1620974898.35075
GetDiskFreeSpaceW
root_path: C:
sectors_per_cluster: 8362495
number_of_free_clusters: 8362495
total_number_of_clusters: 8362495
bytes_per_sector: 512
success 1 0
Creates executable files on the filesystem (7 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\com.d6technology\d6_6420\Adobe AIR\Versions\1.0\Adobe AIR.dll
file C:\Users\Public\Desktop\Keurboom Nursery.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Keurboom Nursery\Uninstall Keurboom Nursery.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-6M15V.tmp\psvince.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-6M15V.tmp\_isetup\_shfoldr.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\com.d6technology\d6_6420\d6_6420_shell.exe
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Keurboom Nursery\Keurboom Nursery.lnk
Creates a shortcut to an executable file (4 个事件)
file C:\Users\Public\Desktop\Google Chrome.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Keurboom Nursery\Keurboom Nursery.lnk
file C:\Users\Public\Desktop\Keurboom Nursery.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Keurboom Nursery\Uninstall Keurboom Nursery.lnk
Drops an executable to the user AppData folder (4 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-6M15V.tmp\psvince.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\com.d6technology\d6_6420\Adobe AIR\Versions\1.0\Adobe AIR.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-KIQ96.tmp\6cd807a30707df168f0edfe8e3429cda.tmp
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-6M15V.tmp\_isetup\_shfoldr.dll
Executes one or more WMI queries (1 个事件)
wmi SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1620974804.414375
ShellExecuteExW
parameters: /im d6_6420.exe /t /f
filepath: taskkill
filepath_r: taskkill
show_type: 0
success 1 0
1620974808.617375
ShellExecuteExW
parameters: /im d6_6420_shell.exe /t /f
filepath: taskkill
filepath_r: taskkill
show_type: 0
success 1 0
File has been identified by one AntiVirus engine on VirusTotal as malicious (1 个事件)
Zillya Adware.BrowseFoxCRTD.Win32.10884
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1620974884.679125
NtProtectVirtualMemory
process_identifier: 1904
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 57344
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x02df0000
success 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620974888.41375
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1620974805.070125
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620974809.101502
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Queries for potentially installed applications (4 个事件)
Time & API Arguments Status Return Repeated
1620974812.117375
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Keurboom Nursery_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Keurboom Nursery_is1
options: 0
failed 2 0
1620974812.117375
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Keurboom Nursery_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Keurboom Nursery_is1
options: 0
failed 2 0
1620974835.164375
RegOpenKeyExW
access: 0x00000008
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Keurboom Nursery_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Keurboom Nursery_is1
options: 0
failed 2 0
1620974835.164375
RegOpenKeyExW
access: 0x00000008
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Keurboom Nursery_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Keurboom Nursery_is1
options: 0
failed 2 0
Uses Windows utilities for basic Windows functionality (4 个事件)
cmdline "C:\Windows\System32\taskkill.exe" /im d6_6420_shell.exe /t /f
cmdline "C:\Windows\System32\taskkill.exe" /im d6_6420.exe /t /f
cmdline taskkill /im d6_6420_shell.exe /t /f
cmdline taskkill /im d6_6420.exe /t /f
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
A process attempted to delay the analysis task. (1 个事件)
description d6_6420_shell.exe tried to sleep 19097142 seconds, actually delayed analysis time by 19097142 seconds
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\d6_6420 reg_value C:\Program Files (x86)\D6 Technology\d6_6420\d6\d6_6420.exe
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)
Time & API Arguments Status Return Repeated
1620974891.56975
RegSetValueExA
key_handle: 0x00000510
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620974891.56975
RegSetValueExA
key_handle: 0x00000510
value: Ù~¹„H×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620974891.56975
RegSetValueExA
key_handle: 0x00000510
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620974891.56975
RegSetValueExW
key_handle: 0x00000510
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620974891.56975
RegSetValueExA
key_handle: 0x00000524
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620974891.56975
RegSetValueExA
key_handle: 0x00000524
value: Ù~¹„H×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620974891.56975
RegSetValueExA
key_handle: 0x00000524
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620974891.70975
RegSetValueExW
key_handle: 0x0000050c
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
1620974893.61675
RegSetValueExA
key_handle: 0x000002b0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620974893.61675
RegSetValueExA
key_handle: 0x000002b0
value: €C¸º„H×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620974893.61675
RegSetValueExA
key_handle: 0x000002b0
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620974893.63175
RegSetValueExW
key_handle: 0x000002b0
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620974893.63175
RegSetValueExA
key_handle: 0x000002a4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620974893.63175
RegSetValueExA
key_handle: 0x000002a4
value: €C¸º„H×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620974893.63175
RegSetValueExA
key_handle: 0x000002a4
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
Generates some ICMP traffic
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 216.58.200.238:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2011-12-20 22:16:50

Imports

Library oleaut32.dll:
0x41e350 SysFreeString
0x41e354 SysReAllocStringLen
0x41e358 SysAllocStringLen
Library advapi32.dll:
0x41e360 RegQueryValueExW
0x41e364 RegOpenKeyExW
0x41e368 RegCloseKey
Library user32.dll:
0x41e370 GetKeyboardType
0x41e374 LoadStringW
0x41e378 MessageBoxA
0x41e37c CharNextW
Library kernel32.dll:
0x41e384 GetACP
0x41e388 Sleep
0x41e38c VirtualFree
0x41e390 VirtualAlloc
0x41e394 GetSystemInfo
0x41e398 GetTickCount
0x41e3a0 GetVersion
0x41e3a4 GetCurrentThreadId
0x41e3a8 VirtualQuery
0x41e3ac WideCharToMultiByte
0x41e3b0 MultiByteToWideChar
0x41e3b4 lstrlenW
0x41e3b8 lstrcpynW
0x41e3bc LoadLibraryExW
0x41e3c0 GetThreadLocale
0x41e3c4 GetStartupInfoA
0x41e3c8 GetProcAddress
0x41e3cc GetModuleHandleW
0x41e3d0 GetModuleFileNameW
0x41e3d4 GetLocaleInfoW
0x41e3d8 GetCommandLineW
0x41e3dc FreeLibrary
0x41e3e0 FindFirstFileW
0x41e3e4 FindClose
0x41e3e8 ExitProcess
0x41e3ec WriteFile
0x41e3f4 RtlUnwind
0x41e3f8 RaiseException
0x41e3fc GetStdHandle
0x41e400 CloseHandle
Library kernel32.dll:
0x41e408 TlsSetValue
0x41e40c TlsGetValue
0x41e410 LocalAlloc
0x41e414 GetModuleHandleW
Library user32.dll:
0x41e41c CreateWindowExW
0x41e420 TranslateMessage
0x41e424 SetWindowLongW
0x41e428 PeekMessageW
0x41e430 MessageBoxW
0x41e434 LoadStringW
0x41e438 GetSystemMetrics
0x41e43c ExitWindowsEx
0x41e440 DispatchMessageW
0x41e444 DestroyWindow
0x41e448 CharUpperBuffW
0x41e44c CallWindowProcW
Library kernel32.dll:
0x41e454 WriteFile
0x41e458 WideCharToMultiByte
0x41e45c WaitForSingleObject
0x41e460 VirtualQuery
0x41e464 VirtualProtect
0x41e468 VirtualFree
0x41e46c VirtualAlloc
0x41e470 SizeofResource
0x41e474 SignalObjectAndWait
0x41e478 SetLastError
0x41e47c SetFilePointer
0x41e480 SetEvent
0x41e484 SetErrorMode
0x41e488 SetEndOfFile
0x41e48c ResetEvent
0x41e490 RemoveDirectoryW
0x41e494 ReadFile
0x41e498 MultiByteToWideChar
0x41e49c LockResource
0x41e4a0 LoadResource
0x41e4a4 LoadLibraryW
0x41e4b4 GetVersionExW
0x41e4bc GetThreadLocale
0x41e4c0 GetSystemInfo
0x41e4c4 GetStdHandle
0x41e4c8 GetProcAddress
0x41e4cc GetModuleHandleW
0x41e4d0 GetModuleFileNameW
0x41e4d4 GetLocaleInfoW
0x41e4d8 GetLocalTime
0x41e4dc GetLastError
0x41e4e0 GetFullPathNameW
0x41e4e4 GetFileSize
0x41e4e8 GetFileAttributesW
0x41e4ec GetExitCodeProcess
0x41e4f4 GetDiskFreeSpaceW
0x41e4f8 GetDateFormatW
0x41e4fc GetCurrentProcess
0x41e500 GetCommandLineW
0x41e504 GetCPInfo
0x41e508 InterlockedExchange
0x41e510 FreeLibrary
0x41e514 FormatMessageW
0x41e518 FindResourceW
0x41e51c EnumCalendarInfoW
0x41e524 DeleteFileW
0x41e52c CreateProcessW
0x41e530 CreateFileW
0x41e534 CreateEventW
0x41e538 CreateDirectoryW
0x41e53c CompareStringW
0x41e540 CloseHandle
Library advapi32.dll:
0x41e548 RegQueryValueExW
0x41e54c RegOpenKeyExW
0x41e550 RegCloseKey
0x41e554 OpenProcessToken
Library comctl32.dll:
0x41e560 InitCommonControls
Library kernel32.dll:
0x41e568 Sleep
Library advapi32.dll:
Library oleaut32.dll:
0x41e578 SafeArrayPtrOfIndex
0x41e57c SafeArrayGetUBound
0x41e580 SafeArrayGetLBound
0x41e584 SafeArrayCreate
0x41e588 VariantChangeType
0x41e58c VariantCopy
0x41e590 VariantClear
0x41e594 VariantInit

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49258 113.108.239.161 redirector.gvt1.com 80
192.168.56.101 49240 159.69.101.238 feeds2.d6communicator.com 80
192.168.56.101 49226 203.208.40.34 update.googleapis.com 443
192.168.56.101 49260 58.63.233.66 r1---sn-j5o76n7l.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355
192.168.56.101 58070 224.0.0.252 5355
192.168.56.101 58970 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620945620&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620945620&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7l.gvt1.com
http://feeds2.d6communicator.com/v3/d6.php 
POST /v3/d6.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: D6Client
Host: feeds2.d6communicator.com
Content-Length: 449
Connection: Keep-Alive
Cache-Control: no-cache

feedId=6420&feedToken=3p5zRnO0ZIg7cBCHgjSkKQ%2b7f2SO5etFkWyOOTj0kzw%3d&build=Jul+30+2012+13%3a10%3a37+%28release%29&appId=%2d1&os=%3cos+type%3d%22win%22+major%3d%226%22+minor%3d%221%22+build%3d%227601%22+platform%3d%222%22%2f%3e&platform=win&guid=1857c347%2d3687%2d4b92%2d8698%2d80d10f8fcba2&machineId=b4b1edcb745f912e82b9852927eb3c2b&sign=true&d6=%3c%3fxml+version%3d%221%2e0%22+encoding%3d%22UTF%2d8%22+%3f%3e%3cd6feed+version%3d%222%2e0%22+%2f%3e

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.