12.8
0-day
59 个模型检测该样本为恶意!
重新分析
更多

d015c42aeec1560eb2cf33b77fab18293a23cf61a7621746bc923a9ad4cc64dd

81354be34b2c4872dc497d4c909e8808.exe

分析耗时

116s

最近分析

文件大小

777.5KB
静态报毒 动态报毒 7NGOUVY3KHY AI SCORE=83 ATTRIBUTE CLASSIC CONFIDENCE DELF DELPHILESS DXCN ELXR FAREIT FCMT GENERICKDZ GENETIC GPCCM HAWKEYE HIGH CONFIDENCE HIGHCONFIDENCE HKDNIH KRYPTIK MALWARE@#2CVNH58146PHM R + MAL R06EC0DIA20 SCORE STATIC AI SUSGEN SUSPICIOUS PE TSCOPE UNSAFE WGW@AMF8JPJI X2066 ZELPHIF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Kryptik.893909ba 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
Avast Win32:Trojan-gen 20201226 21.1.5827.0
Tencent Win32.Trojan.Kryptik.Dxcn 20201226 1.0.0.1
Baidu 20190318 1.0.0.2
McAfee Fareit-FTB!81354BE34B2C 20201226 6.0.6.653
静态指标
Queries for the computername (6 个事件)
Time & API Arguments Status Return Repeated
1619706901.137999
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619706901.168999
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619706901.168999
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619706901.199999
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619706910.246999
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619706910.246999
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619706902.512999
IsDebuggerPresent
failed 0 0
Command line console output was observed (7 个事件)
Time & API Arguments Status Return Repeated
1619706911.824999
WriteConsoleW
buffer: 无法将“Add-MpPreference”项识别为 cmdlet、函数、脚本文件或可运行程序的名称。请
console_handle: 0x00000023
success 1 0
1619706911.840999
WriteConsoleW
buffer: 检查名称的拼写,如果包括路径,请确保路径正确,然后重试。
console_handle: 0x0000002f
success 1 0
1619706911.856999
WriteConsoleW
buffer: 所在位置 行:1 字符: 17
console_handle: 0x0000003b
success 1 0
1619706911.856999
WriteConsoleW
buffer: + Add-MpPreference <<<< -ExclusionPath C:\
console_handle: 0x00000047
success 1 0
1619706911.871999
WriteConsoleW
buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co
console_handle: 0x00000053
success 1 0
1619706911.871999
WriteConsoleW
buffer: mmandNotFoundException
console_handle: 0x0000005f
success 1 0
1619706911.887999
WriteConsoleW
buffer: + FullyQualifiedErrorId : CommandNotFoundException
console_handle: 0x0000006b
success 1 0
Uses Windows APIs to generate a cryptographic key (50 out of 64 个事件)
Time & API Arguments Status Return Repeated
1619706903.949999
CryptExportKey
crypto_handle: 0x004a81a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706904.887999
CryptExportKey
crypto_handle: 0x004a8060
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706904.887999
CryptExportKey
crypto_handle: 0x004a8060
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706904.887999
CryptExportKey
crypto_handle: 0x004a8060
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706905.106999
CryptExportKey
crypto_handle: 0x004a8060
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706905.106999
CryptExportKey
crypto_handle: 0x004a8060
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706905.106999
CryptExportKey
crypto_handle: 0x004a8060
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706905.168999
CryptExportKey
crypto_handle: 0x004a8060
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706905.215999
CryptExportKey
crypto_handle: 0x004a75a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706905.215999
CryptExportKey
crypto_handle: 0x004a75a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706905.246999
CryptExportKey
crypto_handle: 0x004a75a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706905.246999
CryptExportKey
crypto_handle: 0x004a75a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706905.246999
CryptExportKey
crypto_handle: 0x004a75a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706905.246999
CryptExportKey
crypto_handle: 0x004a75a0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706908.231999
CryptExportKey
crypto_handle: 0x004a7ae0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706908.231999
CryptExportKey
crypto_handle: 0x004a7ae0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706908.231999
CryptExportKey
crypto_handle: 0x004a7ae0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706908.246999
CryptExportKey
crypto_handle: 0x004a7ae0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706908.246999
CryptExportKey
crypto_handle: 0x004a7ae0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706908.246999
CryptExportKey
crypto_handle: 0x004a7ae0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706908.309999
CryptExportKey
crypto_handle: 0x004a7ae0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706909.918999
CryptExportKey
crypto_handle: 0x004a7ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706909.918999
CryptExportKey
crypto_handle: 0x004a7ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706909.918999
CryptExportKey
crypto_handle: 0x004a7ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706909.934999
CryptExportKey
crypto_handle: 0x004a79e0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706909.934999
CryptExportKey
crypto_handle: 0x004a7ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706909.934999
CryptExportKey
crypto_handle: 0x004a7ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706909.934999
CryptExportKey
crypto_handle: 0x004a7ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706909.934999
CryptExportKey
crypto_handle: 0x004a7ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706909.949999
CryptExportKey
crypto_handle: 0x004a7ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706909.965999
CryptExportKey
crypto_handle: 0x004a7ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706909.965999
CryptExportKey
crypto_handle: 0x004a7ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.043999
CryptExportKey
crypto_handle: 0x004a7ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.043999
CryptExportKey
crypto_handle: 0x004a7ea0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.074999
CryptExportKey
crypto_handle: 0x004a7de0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.074999
CryptExportKey
crypto_handle: 0x004a7de0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.074999
CryptExportKey
crypto_handle: 0x004a7de0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.074999
CryptExportKey
crypto_handle: 0x004a7de0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.074999
CryptExportKey
crypto_handle: 0x004a7de0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.074999
CryptExportKey
crypto_handle: 0x004a7de0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.106999
CryptExportKey
crypto_handle: 0x004a7de0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.184999
CryptExportKey
crypto_handle: 0x004a7460
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.184999
CryptExportKey
crypto_handle: 0x004a7460
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.512999
CryptExportKey
crypto_handle: 0x004a7460
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.512999
CryptExportKey
crypto_handle: 0x004a7460
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.528999
CryptExportKey
crypto_handle: 0x004a7460
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.528999
CryptExportKey
crypto_handle: 0x004a7460
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.528999
CryptExportKey
crypto_handle: 0x004a7460
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.543999
CryptExportKey
crypto_handle: 0x004a7460
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619706910.543999
CryptExportKey
crypto_handle: 0x004a7460
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619706888.013499
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
The executable uses a known packer (1 个事件)
packer BobSoft Mini Delphi -> BoB / BobSoft
One or more processes crashed (2 个事件)
Time & API Arguments Status Return Repeated
1619706887.418999
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 54001208
registers.edi: 0
registers.eax: 0
registers.ebp: 54001544
registers.edx: 54
registers.ebx: 0
registers.esi: 0
registers.ecx: 419
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: 81354be34b2c4872dc497d4c909e8808+0x836ec
exception.instruction: div eax
exception.module: 81354be34b2c4872dc497d4c909e8808.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
1619706890.762999
__exception__
stacktrace: 
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 35323448
registers.edi: 0
registers.eax: 0
registers.ebp: 35323784
registers.edx: 54
registers.ebx: 0
registers.esi: 0
registers.ecx: 763
exception.instruction_r: f7 f0 33 c0 5a 59 59 64 89 10 e9 5e 6c 00 00 e9
exception.symbol: images+0x836ec
exception.instruction: div eax
exception.module: images.exe
exception.exception_code: 0xc0000094
exception.offset: 538348
exception.address: 0x4836ec
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:2714551281&cup2hreq=0ccef6adaf8b1a254135e03f96f602b1dc5d1cd6cf656b1b8bda489ab590e1cc
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619677693&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=f8e5648c7cdf3819&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619677693&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:2714551281&cup2hreq=0ccef6adaf8b1a254135e03f96f602b1dc5d1cd6cf656b1b8bda489ab590e1cc
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:2714551281&cup2hreq=0ccef6adaf8b1a254135e03f96f602b1dc5d1cd6cf656b1b8bda489ab590e1cc
Allocates read-write-execute memory (usually to unpack itself) (50 out of 147 个事件)
Time & API Arguments Status Return Repeated
1619706886.981999
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00360000
success 0 0
1619706887.418999
NtProtectVirtualMemory
process_identifier: 1912
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619706887.418999
NtAllocateVirtualMemory
process_identifier: 1912
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00670000
success 0 0
1619706520.61052
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004150000
success 0 0
1619706890.621999
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1619706890.762999
NtProtectVirtualMemory
process_identifier: 3000
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 32768
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00483000
success 0 0
1619706890.762999
NtAllocateVirtualMemory
process_identifier: 3000
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ec0000
success 0 0
1619706901.481999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02840000
success 0 0
1619706901.481999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028d0000
success 0 0
1619706902.403999
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x737c1000
success 0 0
1619706902.512999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f4a000
success 0 0
1619706902.512999
NtProtectVirtualMemory
process_identifier: 1128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x737c2000
success 0 0
1619706902.512999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f42000
success 0 0
1619706902.824999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02092000
success 0 0
1619706902.918999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028d1000
success 0 0
1619706902.965999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028d2000
success 0 0
1619706903.043999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020ba000
success 0 0
1619706903.418999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02093000
success 0 0
1619706903.574999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02094000
success 0 0
1619706903.606999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020cb000
success 0 0
1619706903.606999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020c7000
success 0 0
1619706903.762999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x01f4b000
success 0 0
1619706903.887999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020b2000
success 0 0
1619706903.903999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020c5000
success 0 0
1619706904.434999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02095000
success 0 0
1619706904.809999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020bc000
success 0 0
1619706905.168999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020b3000
success 0 0
1619706905.215999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03130000
success 0 0
1619706906.824999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02096000
success 0 0
1619706908.199999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020cc000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020b4000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020b5000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020b6000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020b7000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020b8000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x020b9000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03140000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03141000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03142000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03143000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03144000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03145000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03146000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03147000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03148000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03149000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0314a000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0314b000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0314c000
success 0 0
1619706909.074999
NtAllocateVirtualMemory
process_identifier: 1128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0314d000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
Creates a suspicious process (1 个事件)
cmdline powershell Add-MpPreference -ExclusionPath C:\
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 个事件)
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.030343670579751 section {'size_of_data': '0x0002a600', 'virtual_address': '0x0009e000', 'entropy': 7.030343670579751, 'name': '.rsrc', 'virtual_size': '0x0002a53c'} description A section with a high entropy has been found
entropy 0.21828718609143594 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619706903.746999
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Images reg_value C:\ProgramData\images.exe
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 个事件)
Process injection Process 1912 called NtSetContextThread to modify thread in remote process 364
Process injection Process 3000 called NtSetContextThread to modify thread in remote process 2616
Time & API Arguments Status Return Repeated
1619706887.481999
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4217095
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 364
success 0 0
1619706890.840999
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4217095
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2616
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\ProgramData\images.exe:Zone.Identifier
Resumed a suspended thread in a remote process potentially indicative of process injection (4 个事件)
Process injection Process 1912 resumed a thread in remote process 364
Process injection Process 3000 resumed a thread in remote process 2616
Time & API Arguments Status Return Repeated
1619706887.574999
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 364
success 0 0
1619706890.996999
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2616
success 0 0
Executed a process and injected code into it, probably while unpacking (18 个事件)
Time & API Arguments Status Return Repeated
1619706887.465999
CreateProcessInternalW
thread_identifier: 1760
thread_handle: 0x00000108
process_identifier: 364
current_directory:
filepath:
track: 1
command_line: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\81354be34b2c4872dc497d4c909e8808.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000010c
inherit_handles: 0
success 1 0
1619706887.465999
NtUnmapViewOfSection
process_identifier: 364
region_size: 4096
process_handle: 0x0000010c
base_address: 0x00400000
success 0 0
1619706887.465999
NtMapViewOfSection
section_handle: 0x00000114
process_identifier: 364
commit_size: 1388544
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x0000010c
allocation_type: 0 ()
section_offset: 0
view_size: 1388544
base_address: 0x00400000
success 0 0
1619706887.481999
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619706887.481999
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4217095
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 364
success 0 0
1619706887.574999
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 364
success 0 0
1619706890.091499
CreateProcessInternalW
thread_identifier: 1824
thread_handle: 0x000001e4
process_identifier: 1128
current_directory:
filepath:
track: 1
command_line: powershell Add-MpPreference -ExclusionPath C:\
filepath_r:
stack_pivoted: 0
creation_flags: 0 ()
process_handle: 0x000001dc
inherit_handles: 0
success 1 0
1619706890.450499
CreateProcessInternalW
thread_identifier: 1812
thread_handle: 0x000001e4
process_identifier: 3000
current_directory:
filepath: C:\ProgramData\images.exe
track: 1
command_line:
filepath_r: C:\ProgramData\images.exe
stack_pivoted: 0
creation_flags: 0 ()
process_handle: 0x000001e8
inherit_handles: 0
success 1 0
1619706890.824999
CreateProcessInternalW
thread_identifier: 2544
thread_handle: 0x00000108
process_identifier: 2616
current_directory:
filepath:
track: 1
command_line: "C:\ProgramData\images.exe"
filepath_r:
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000010c
inherit_handles: 0
success 1 0
1619706890.824999
NtUnmapViewOfSection
process_identifier: 2616
region_size: 4096
process_handle: 0x0000010c
base_address: 0x00400000
success 0 0
1619706890.824999
NtMapViewOfSection
section_handle: 0x00000114
process_identifier: 2616
commit_size: 1388544
win32_protect: 64 (PAGE_EXECUTE_READWRITE)
buffer:
process_handle: 0x0000010c
allocation_type: 0 ()
section_offset: 0
view_size: 1388544
base_address: 0x00400000
success 0 0
1619706890.840999
NtGetContextThread
thread_handle: 0x00000108
success 0 0
1619706890.840999
NtSetContextThread
thread_handle: 0x00000108
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4217095
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2616
success 0 0
1619706890.996999
NtResumeThread
thread_handle: 0x00000108
suspend_count: 1
process_identifier: 2616
success 0 0
1619706902.512999
NtResumeThread
thread_handle: 0x00000294
suspend_count: 1
process_identifier: 1128
success 0 0
1619706902.543999
NtResumeThread
thread_handle: 0x000002e8
suspend_count: 1
process_identifier: 1128
success 0 0
1619706911.074999
NtResumeThread
thread_handle: 0x00000454
suspend_count: 1
process_identifier: 1128
success 0 0
1619706911.887999
NtResumeThread
thread_handle: 0x000003b0
suspend_count: 1
process_identifier: 1128
success 0 0
File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)
Elastic malicious (high confidence)
DrWeb Trojan.PWS.Stealer.28485
MicroWorld-eScan Trojan.GenericKDZ.67129
FireEye Generic.mg.81354be34b2c4872
ALYac Trojan.GenericKDZ.67129
Cylance Unsafe
Zillya Trojan.Fareit.Win32.35890
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/Kryptik.893909ba
K7GW Riskware ( 0040eff71 )
CrowdStrike win/malicious_confidence_90% (W)
Arcabit Trojan.Generic.D10639
BitDefenderTheta Gen:NN.ZelphiF.34700.WGW@amF8jpji
Cyren W32/Trojan.FCMT-6763
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win32/Injector.ELXR
APEX Malicious
Avast Win32:Trojan-gen
ClamAV Win.Dropper.HawkEye-7789014-0
Kaspersky HEUR:Trojan.Win32.Kryptik.gen
BitDefender Trojan.GenericKDZ.67129
NANO-Antivirus Trojan.Win32.Stealer.hkdnih
Paloalto generic.ml
Tencent Win32.Trojan.Kryptik.Dxcn
Ad-Aware Trojan.GenericKDZ.67129
Sophos Mal/Generic-R + Mal/Fareit-AA
Comodo Malware@#2cvnh58146phm
F-Secure Trojan.TR/Injector.gpccm
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R06EC0DIA20
McAfee-GW-Edition BehavesLike.Win32.Fareit.bh
Emsisoft Trojan.GenericKDZ.67129 (B)
Ikarus Trojan.Inject
Jiangmin Trojan.Kryptik.bex
Avira TR/Injector.gpccm
Antiy-AVL Trojan/Win32.Kryptik
Gridinsoft Trojan.Win32.Kryptik.ba!s1
Microsoft PWS:Win32/Fareit.JK!MTB
AegisLab Trojan.Win32.Kryptik.4!c
ZoneAlarm HEUR:Trojan.Win32.Kryptik.gen
GData Win32.Trojan.Injector.PA
Cynet Malicious (score: 100)
AhnLab-V3 Suspicious/Win.Delphiless.X2066
McAfee Fareit-FTB!81354BE34B2C
MAX malware (ai score=83)
VBA32 TScope.Trojan.Delf
Malwarebytes Spyware.Agent
Zoner Trojan.Win32.91115
TrendMicro-HouseCall TROJ_GEN.R06EC0DIA20
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.27.142:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x48f178 VirtualFree
0x48f17c VirtualAlloc
0x48f180 LocalFree
0x48f184 LocalAlloc
0x48f188 GetVersion
0x48f18c GetCurrentThreadId
0x48f198 VirtualQuery
0x48f19c WideCharToMultiByte
0x48f1a0 MultiByteToWideChar
0x48f1a4 lstrlenA
0x48f1a8 lstrcpynA
0x48f1ac LoadLibraryExA
0x48f1b0 GetThreadLocale
0x48f1b4 GetStartupInfoA
0x48f1b8 GetProcAddress
0x48f1bc GetModuleHandleA
0x48f1c0 GetModuleFileNameA
0x48f1c4 GetLocaleInfoA
0x48f1c8 GetCommandLineA
0x48f1cc FreeLibrary
0x48f1d0 FindFirstFileA
0x48f1d4 FindClose
0x48f1d8 ExitProcess
0x48f1dc ExitThread
0x48f1e0 CreateThread
0x48f1e4 WriteFile
0x48f1ec RtlUnwind
0x48f1f0 RaiseException
0x48f1f4 GetStdHandle
Library user32.dll:
0x48f1fc GetKeyboardType
0x48f200 LoadStringA
0x48f204 MessageBoxA
0x48f208 CharNextA
Library advapi32.dll:
0x48f210 RegQueryValueExA
0x48f214 RegOpenKeyExA
0x48f218 RegCloseKey
Library oleaut32.dll:
0x48f220 SysFreeString
0x48f224 SysReAllocStringLen
0x48f228 SysAllocStringLen
Library kernel32.dll:
0x48f230 TlsSetValue
0x48f234 TlsGetValue
0x48f238 LocalAlloc
0x48f23c GetModuleHandleA
Library advapi32.dll:
0x48f244 RegQueryValueExA
0x48f248 RegOpenKeyExA
0x48f24c RegCloseKey
Library kernel32.dll:
0x48f254 lstrlenA
0x48f258 lstrcpyA
0x48f25c lstrcmpA
0x48f260 WriteFile
0x48f264 WaitForSingleObject
0x48f26c VirtualQuery
0x48f270 VirtualProtect
0x48f274 VirtualAlloc
0x48f278 Sleep
0x48f27c SizeofResource
0x48f280 SetThreadLocale
0x48f284 SetFilePointer
0x48f288 SetEvent
0x48f28c SetErrorMode
0x48f290 SetEndOfFile
0x48f298 ResumeThread
0x48f29c ResetEvent
0x48f2a0 ReleaseMutex
0x48f2a4 ReadFile
0x48f2a8 MultiByteToWideChar
0x48f2ac MulDiv
0x48f2b0 LockResource
0x48f2b4 LoadResource
0x48f2b8 LoadLibraryA
0x48f2c4 GlobalUnlock
0x48f2c8 GlobalReAlloc
0x48f2cc GlobalHandle
0x48f2d0 GlobalLock
0x48f2d4 GlobalFree
0x48f2d8 GlobalFindAtomA
0x48f2dc GlobalDeleteAtom
0x48f2e0 GlobalAlloc
0x48f2e4 GlobalAddAtomA
0x48f2e8 GetVersionExA
0x48f2ec GetVersion
0x48f2f0 GetTickCount
0x48f2f4 GetThreadLocale
0x48f2f8 GetTempPathA
0x48f300 GetSystemTime
0x48f304 GetSystemInfo
0x48f308 GetStringTypeExA
0x48f30c GetStdHandle
0x48f310 GetProcAddress
0x48f314 GetModuleHandleA
0x48f318 GetModuleFileNameA
0x48f31c GetLocaleInfoA
0x48f320 GetLocalTime
0x48f324 GetLastError
0x48f328 GetFullPathNameA
0x48f32c GetFileSize
0x48f330 GetExitCodeThread
0x48f334 GetDiskFreeSpaceA
0x48f338 GetDateFormatA
0x48f33c GetCurrentThreadId
0x48f340 GetCurrentProcessId
0x48f348 GetCPInfo
0x48f34c GetACP
0x48f350 FreeResource
0x48f358 InterlockedExchange
0x48f360 FreeLibrary
0x48f364 FormatMessageA
0x48f368 FindResourceA
0x48f370 FindFirstFileA
0x48f37c FindClose
0x48f38c ExitThread
0x48f390 ExitProcess
0x48f394 EnumCalendarInfoA
0x48f39c DeleteFileA
0x48f3a4 CreateThread
0x48f3a8 CreateMutexA
0x48f3ac CreateFileA
0x48f3b0 CreateEventA
0x48f3b4 CompareStringA
0x48f3b8 CloseHandle
Library version.dll:
0x48f3c0 VerQueryValueA
0x48f3c8 GetFileVersionInfoA
Library gdi32.dll:
0x48f3d0 UnrealizeObject
0x48f3d4 StretchBlt
0x48f3d8 SetWindowOrgEx
0x48f3dc SetViewportOrgEx
0x48f3e0 SetTextColor
0x48f3e4 SetStretchBltMode
0x48f3e8 SetROP2
0x48f3ec SetPixel
0x48f3f0 SetDIBColorTable
0x48f3f4 SetColorSpace
0x48f3f8 SetBrushOrgEx
0x48f3fc SetBkMode
0x48f400 SetBkColor
0x48f404 SelectPalette
0x48f408 SelectObject
0x48f40c SaveDC
0x48f410 RestoreDC
0x48f414 Rectangle
0x48f418 RectVisible
0x48f41c RealizePalette
0x48f420 PatBlt
0x48f424 MoveToEx
0x48f428 MaskBlt
0x48f42c LineTo
0x48f430 IntersectClipRect
0x48f434 GetWindowOrgEx
0x48f438 GetTextMetricsA
0x48f444 GetStockObject
0x48f448 GetPixel
0x48f44c GetPaletteEntries
0x48f450 GetObjectA
0x48f454 GetDeviceCaps
0x48f458 GetDIBits
0x48f45c GetDIBColorTable
0x48f460 GetDCOrgEx
0x48f468 GetClipBox
0x48f46c GetBrushOrgEx
0x48f470 GetBitmapBits
0x48f474 ExtTextOutA
0x48f478 ExcludeClipRect
0x48f47c DeleteObject
0x48f480 DeleteDC
0x48f484 CreateSolidBrush
0x48f488 CreatePenIndirect
0x48f48c CreatePalette
0x48f494 CreateFontIndirectA
0x48f498 CreateDIBitmap
0x48f49c CreateDIBSection
0x48f4a0 CreateCompatibleDC
0x48f4a8 CreateBrushIndirect
0x48f4ac CreateBitmap
0x48f4b0 BitBlt
Library user32.dll:
0x48f4b8 CreateWindowExA
0x48f4bc WindowFromPoint
0x48f4c0 WinHelpA
0x48f4c4 WaitMessage
0x48f4c8 UpdateWindow
0x48f4cc UnregisterClassA
0x48f4d0 UnhookWindowsHookEx
0x48f4d4 TranslateMessage
0x48f4dc TrackPopupMenu
0x48f4e4 ShowWindow
0x48f4e8 ShowScrollBar
0x48f4ec ShowOwnedPopups
0x48f4f0 ShowCursor
0x48f4f4 SetWindowsHookExA
0x48f4f8 SetWindowTextA
0x48f4fc SetWindowPos
0x48f500 SetWindowPlacement
0x48f504 SetWindowLongA
0x48f508 SetTimer
0x48f50c SetScrollRange
0x48f510 SetScrollPos
0x48f514 SetScrollInfo
0x48f518 SetRect
0x48f51c SetPropA
0x48f520 SetParent
0x48f524 SetMenuItemInfoA
0x48f528 SetMenu
0x48f52c SetForegroundWindow
0x48f530 SetFocus
0x48f534 SetCursor
0x48f538 SetClassLongA
0x48f53c SetCapture
0x48f540 SetActiveWindow
0x48f544 SendMessageA
0x48f548 ScrollWindow
0x48f54c ScreenToClient
0x48f550 RemovePropA
0x48f554 RemoveMenu
0x48f558 ReleaseDC
0x48f55c ReleaseCapture
0x48f568 RegisterClassA
0x48f56c RedrawWindow
0x48f570 PtInRect
0x48f574 PostQuitMessage
0x48f578 PostMessageA
0x48f57c PeekMessageA
0x48f580 OffsetRect
0x48f584 OemToCharA
0x48f58c MessageBoxA
0x48f590 MapWindowPoints
0x48f594 MapVirtualKeyA
0x48f598 LoadStringA
0x48f59c LoadKeyboardLayoutA
0x48f5a0 LoadIconA
0x48f5a4 LoadCursorA
0x48f5a8 LoadBitmapA
0x48f5ac KillTimer
0x48f5b0 IsZoomed
0x48f5b4 IsWindowVisible
0x48f5b8 IsWindowEnabled
0x48f5bc IsWindow
0x48f5c0 IsRectEmpty
0x48f5c4 IsIconic
0x48f5c8 IsDialogMessageA
0x48f5cc IsChild
0x48f5d0 InvalidateRect
0x48f5d4 IntersectRect
0x48f5d8 InsertMenuItemA
0x48f5dc InsertMenuA
0x48f5e0 InflateRect
0x48f5e8 GetWindowTextA
0x48f5ec GetWindowRect
0x48f5f0 GetWindowPlacement
0x48f5f4 GetWindowLongA
0x48f5f8 GetWindowDC
0x48f5fc GetTopWindow
0x48f600 GetSystemMetrics
0x48f604 GetSystemMenu
0x48f608 GetSysColorBrush
0x48f60c GetSysColor
0x48f610 GetSubMenu
0x48f614 GetScrollRange
0x48f618 GetScrollPos
0x48f61c GetScrollInfo
0x48f620 GetPropA
0x48f624 GetParent
0x48f628 GetWindow
0x48f62c GetMessagePos
0x48f630 GetMenuStringA
0x48f634 GetMenuState
0x48f638 GetMenuItemInfoA
0x48f63c GetMenuItemID
0x48f640 GetMenuItemCount
0x48f644 GetMenu
0x48f648 GetLastActivePopup
0x48f64c GetKeyboardState
0x48f654 GetKeyboardLayout
0x48f658 GetKeyState
0x48f65c GetKeyNameTextA
0x48f660 GetIconInfo
0x48f664 GetForegroundWindow
0x48f668 GetFocus
0x48f66c GetDesktopWindow
0x48f670 GetDCEx
0x48f674 GetDC
0x48f678 GetCursorPos
0x48f67c GetCursor
0x48f680 GetClientRect
0x48f684 GetClassNameA
0x48f688 GetClassInfoA
0x48f68c GetCapture
0x48f690 GetActiveWindow
0x48f694 FrameRect
0x48f698 FindWindowA
0x48f69c FillRect
0x48f6a0 EqualRect
0x48f6a4 EnumWindows
0x48f6a8 EnumThreadWindows
0x48f6ac EndPaint
0x48f6b0 EnableWindow
0x48f6b4 EnableScrollBar
0x48f6b8 EnableMenuItem
0x48f6bc DrawTextA
0x48f6c0 DrawMenuBar
0x48f6c4 DrawIconEx
0x48f6c8 DrawIcon
0x48f6cc DrawFrameControl
0x48f6d0 DrawFocusRect
0x48f6d4 DrawEdge
0x48f6d8 DispatchMessageA
0x48f6dc DestroyWindow
0x48f6e0 DestroyMenu
0x48f6e4 DestroyIcon
0x48f6e8 DestroyCursor
0x48f6ec DeleteMenu
0x48f6f0 DefWindowProcA
0x48f6f4 DefMDIChildProcA
0x48f6f8 DefFrameProcA
0x48f6fc CreatePopupMenu
0x48f700 CreateMenu
0x48f704 CreateIcon
0x48f708 ClientToScreen
0x48f710 CheckMenuItem
0x48f714 CallWindowProcA
0x48f718 CallNextHookEx
0x48f71c BeginPaint
0x48f720 CharNextA
0x48f724 CharLowerA
0x48f728 CharUpperBuffA
0x48f72c CharToOemA
0x48f730 AdjustWindowRectEx
Library kernel32.dll:
0x48f73c Sleep
Library oleaut32.dll:
0x48f744 SafeArrayPtrOfIndex
0x48f748 SafeArrayGetUBound
0x48f74c SafeArrayGetLBound
0x48f750 SafeArrayCreate
0x48f754 VariantChangeType
0x48f758 VariantCopy
0x48f75c VariantClear
0x48f760 VariantInit
Library ole32.dll:
0x48f768 OleUninitialize
0x48f76c OleInitialize
0x48f770 CoTaskMemAlloc
0x48f774 CoCreateInstance
0x48f778 CoUninitialize
0x48f77c CoInitialize
Library oleaut32.dll:
0x48f784 GetErrorInfo
0x48f788 SysFreeString
Library comctl32.dll:
0x48f798 ImageList_Write
0x48f79c ImageList_Read
0x48f7ac ImageList_DragMove
0x48f7b0 ImageList_DragLeave
0x48f7b4 ImageList_DragEnter
0x48f7b8 ImageList_EndDrag
0x48f7bc ImageList_BeginDrag
0x48f7c0 ImageList_Remove
0x48f7c4 ImageList_DrawEx
0x48f7c8 ImageList_Draw
0x48f7d8 ImageList_Add
0x48f7e0 ImageList_Destroy
0x48f7e4 ImageList_Create
0x48f7e8 InitCommonControls
Library shell32.dll:
0x48f7f0 ShellExecuteExA
0x48f7f4 ShellExecuteA
0x48f7f8 SHGetFileInfoA
Library shell32.dll:
0x48f804 SHGetMalloc
0x48f808 SHGetDesktopFolder

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49191 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49192 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49189 203.208.40.34 update.googleapis.com 443
192.168.56.101 49190 203.208.41.65 redirector.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 54260 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54178 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619677693&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619677693&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=f8e5648c7cdf3819&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619677693&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=f8e5648c7cdf3819&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619677693&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.