16.2
0-day
48 个模型检测该样本为恶意!
重新分析
更多

8f844e5b3c1f3c7f1be346becd3f8feafea5c0863d719521b8cd1c5c0ae1f3c7

81c8115b2be8f6cddb3dbf635d30b063.exe

分析耗时

108s

最近分析

文件大小

3.2MB
静态报毒 动态报毒 100% ABWLH AI SCORE=100 AIDETECTVM APPLICUNWNT@#2J5Y40K8EF4OB ATTRIBUTE BSCOPE CHINA CONFIDENCE EJZWPC FILEREPMALWARE GA25058B GENASA GENERIC PUA MC GENERICRXAA GENETIC GHWTGT HAO123 HIGHCONFIDENCE KCLOUD MALWARE2 OCCAMY RVJK SAMCA SCORE SOFTCNAPP STATIC AI SUSPICIOUS PE TOB5 UNSAFE UVPM ZUSY 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba AdWare:Win32/Samca.2cdbdf6d 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Evo-gen [Susp] 20210102 21.1.5827.0
Kingsoft Win32.Troj.Generic_a.a.(kcloud) 20210103 2017.9.26.565
McAfee GenericRXAA-AA!81C8115B2BE8 20210102 6.0.6.653
Tencent 20210103 1.0.0.1
CrowdStrike win/malicious_confidence_80% (W) 20190702 1.0
静态指标
Queries for the computername (3 个事件)
Time & API Arguments Status Return Repeated
1620837381.443125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620837395.458125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620837405.458125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Command line console output was observed (3 个事件)
Time & API Arguments Status Return Repeated
1620836967.305896
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\{E226DE21-FFBD-44CE-80CC-6C9C5F010908}\nvMultitask.exe
console_handle: 0x0000000000000007
success 1 0
1620836967.414896
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x000000000000000b
success 1 0
1620836967.414644
WriteConsoleW
buffer: 移动了 1 个文件。
console_handle: 0x0000000000000007
success 1 0
This executable has a PDB path (1 个事件)
pdb_path E:\HDwnlder\bin\Hao123Downloader.pdb
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620837394.224875
GlobalMemoryStatusEx
success 1 0
The file contains an unknown PE resource name possibly indicative of a packer (3 个事件)
resource name BIN
resource name XML
resource name ZIPRES
行为判定
动态指标
Performs some HTTP requests (15 个事件)
request GET http://update.123juzi.net/update.php?genre=tsKdx&type=tsKdx_updateCheck&ver=3.2.0.1&cid=&umid=ABCA815BD1F0536ADC55EE293EDE7CD2&os=3&safe=0&ie=8&flash=&ck=A5B8646398DA57304D555CB797D51C66
request GET http://service.123juzi.com/i?app_key=b6b8c04109716276048a7ab0c2908f7becedf903&device_id=0000567c00002e6f0000227500002b7600001724&sdk_version=16.02&begin_session=1&metrics=%7b%0a%22_os%22%3a%22Windows%207%22%2c%0a%22_device%22%3a%22PC%22%2c%0a%22_resolution%22%3a%22800x600%22%2c%0a%22_carrier%22%3a%22Free%22%2c%0a%22_app_version%22%3a%223.2.0.1%22%0a%7d
request GET http://service.123juzi.com/i?app_key=e131e8b51bc9c4bb395446794bfdcef9e115b082&device_id=00005ce80000063900001efb00001b03000006b3&sdk_version=16.02&begin_session=1&metrics=%7b%0a%22_os%22%3a%22Windows%207%22%2c%0a%22_device%22%3a%22PC%22%2c%0a%22_resolution%22%3a%22800x600%22%2c%0a%22_carrier%22%3a%22Free%22%2c%0a%22_app_version%22%3a%221.0.0.8%22%0a%7d
request GET http://ww25.update.123juzi.net/update.php?genre=tsKdx&type=tsKdx_updateCheck&ver=3.2.0.1&cid=&umid=ABCA815BD1F0536ADC55EE293EDE7CD2&os=3&safe=0&ie=8&flash=&ck=A5B8646398DA57304D555CB797D51C66&subid1=20210512-1836-33c2-9d41-e1f66e552aa8
request GET http://log.123juzi.net/log.php?type=tsKdx_updateEnd&ver=3.2.0.1&cid=&umid=ABCA815BD1F0536ADC55EE293EDE7CD2&i=6&ir=0&iec=503&os=3&safe=0&ie=8&flash=&ck=05B253939E7BD52BB1EA1D797A4FC121
request GET http://ww2.123juzi.net/
request GET http://ww25.123juzi.net/?subid1=20210512-1836-3654-b1b3-4399bfe049ad
request GET http://update.123juzi.net/ntflp.php
request GET http://opensoft.hao123.com/uploads/member/2013/1122/20131122090744528eae609f18b.jpg
request GET http://ww25.update.123juzi.net/ntflp.php?subid1=20210512-1836-3822-8713-6a914b8c67aa
request GET http://www.skycn.com/
request GET http://orange.hao123.com/common/cmsone?cms=soft_dl&keys=class_soft_task
request GET http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAURO8EJH
request GET http://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBhyuElvTh7HbtMMiw%3D%3D
request GET https://www.hao123.com/
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1620837012.727521
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00000000079a0000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (5 个事件)
Time & API Arguments Status Return Repeated
1620837406.958125
GetDiskFreeSpaceExW
root_path: C:\
free_bytes_available: 19466285056
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
1620837407.568125
GetDiskFreeSpaceExW
root_path: C:\
free_bytes_available: 19466272768
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
1620837409.240125
GetDiskFreeSpaceExW
root_path: C:\
free_bytes_available: 19466272768
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
1620837402.990125
GetDiskFreeSpaceExW
root_path: C:\
free_bytes_available: 19424813056
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
1620837405.380125
GetDiskFreeSpaceExW
root_path: C:\
free_bytes_available: 19466285056
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
Checks for known Chinese AV sofware registry keys (2 个事件)
regkey .*360Safe
regkey .*Kingsoft
Foreign language identified in PE resource (9 个事件)
name BIN language LANG_CHINESE offset 0x001e3b20 filetype TIM image, 24-Bit, Pixel at (14322,50154) Size=59051x13088 sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x001500b3
name XML language LANG_CHINESE offset 0x001e11b0 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000282a
name ZIPRES language LANG_CHINESE offset 0x001dd5f0 filetype Zip archive data, at least v2.0 to extract sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00003bb9
name RT_ICON language LANG_CHINESE offset 0x001dd148 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x001dd148 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x001dd148 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x001dd148 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_GROUP_ICON language LANG_CHINESE offset 0x001dd5b0 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000003e
name RT_VERSION language LANG_CHINESE offset 0x001e39e0 filetype MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79 sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000140
Creates executable files on the filesystem (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\{E226DE21-FFBD-44CE-80CC-6C9C5F010908}\npJuziPlugin.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nvMultitasking\HSoftDoloEx.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nvMultitasking\bime64.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\{E226DE21-FFBD-44CE-80CC-6C9C5F010908}\nvMultitask.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nvMultitasking\bime.dll
Creates a service (2 个事件)
Time & API Arguments Status Return Repeated
1620837391.115125
CreateServiceW
service_start_name:
start_type: 1
service_handle: 0x003aef68
display_name: LcScience
error_control: 1
service_name: LcScience
filepath: C:\Windows\System32\drivers\LcScience64.sys
filepath_r: C:\Windows\system32\drivers\LcScience64.sys
service_manager_handle: 0x003af008
desired_access: 983551
service_type: 2
password:
success 3862376 0
1620837393.443125
CreateServiceW
service_start_name:
start_type: 1
service_handle: 0x003aec48
display_name: WaNdFilter
error_control: 1
service_name: WaNdFilter
filepath: C:\Windows\System32\drivers\WaNdFilter64.sys
filepath_r: C:\Windows\system32\drivers\WaNdFilter64.sys
service_manager_handle: 0x003aec70
desired_access: 983551
service_type: 2
password:
success 3861576 0
Creates a suspicious process (4 个事件)
cmdline cmd.exe /c move "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\{E226DE21-FFBD-44CE-80CC-6C9C5F010908}\nvMultitask.exe" C:\Users\ADMINI~1.OSK\AppData\Local\Temp\BE3A.tmp
cmdline "C:\Windows\System32\cmd.exe" /c move "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\{E226DE21-FFBD-44CE-80CC-6C9C5F010908}\nvMultitask.exe" C:\Users\ADMINI~1.OSK\AppData\Local\Temp\BE3A.tmp
cmdline "C:\Windows\System32\cmd.exe" /c del /q /f "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\{E226DE21-FFBD-44CE-80CC-6C9C5F010908}\nvMultitask.exe"
cmdline cmd.exe /c del /q /f "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\{E226DE21-FFBD-44CE-80CC-6C9C5F010908}\nvMultitask.exe"
Drops an executable to the user AppData folder (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nvMultitasking\WaNdFilter.sys
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nvMultitasking\LcScience.sys
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nvMultitasking\HSoftDoloEx.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nvMultitasking\bime.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\{E226DE21-FFBD-44CE-80CC-6C9C5F010908}\npJuziPlugin.dll
Executes one or more WMI queries (11 个事件)
wmi SELECT Name,CommandLine FROM Win32_Process where ProcessId=3056
wmi SELECT * FROM Win32_OperatingSystem
wmi SELECT * FROM Win32_PhysicalMemory
wmi SELECT * FROM Win32_DiskDrive WHERE (PNPDeviceID IS NOT NULL) AND (NOT (InterfaceType = 'USB'))
wmi SELECT * FROM Win32_UserAccount
wmi SELECT * FROM Win32_BIOS WHERE (SerialNumber IS NOT NULL)
wmi SELECT * FROM Win32_Processor WHERE (ProcessorId IS NOT NULL)
wmi SELECT * FROM Win32_SoundDevice WHERE (PNPDeviceID IS NOT NULL)
wmi SELECT * FROM Win32_NetworkAdapter WHERE (MACAddress IS NOT NULL) AND (NOT (PNPDeviceID LIKE 'ROOT%'))
wmi SELECT * FROM Win32_BaseBoard WHERE (SerialNumber IS NOT NULL)
wmi SELECT Name,CommandLine FROM Win32_Process where ProcessId=2452
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1620837396.224875
ShellExecuteExW
parameters: /c del /q /f "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\{E226DE21-FFBD-44CE-80CC-6C9C5F010908}\nvMultitask.exe"
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
1620837396.271875
ShellExecuteExW
parameters: /c move "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\{E226DE21-FFBD-44CE-80CC-6C9C5F010908}\nvMultitask.exe" C:\Users\ADMINI~1.OSK\AppData\Local\Temp\BE3A.tmp
filepath: cmd.exe
filepath_r: cmd.exe
show_type: 0
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620837398.036125
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.95377451128591 section {'size_of_data': '0x0016b000', 'virtual_address': '0x001c9000', 'entropy': 7.95377451128591, 'name': '.rsrc', 'virtual_size': '0x0016af40'} description A section with a high entropy has been found
entropy 0.43973349485160507 description Overall entropy of this PE file is high
Queries for potentially installed applications (40 个事件)
Time & API Arguments Status Return Repeated
1620837407.005125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
options: 0
failed 2 0
1620837407.005125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士
options: 0
failed 2 0
1620837407.005125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒
options: 0
failed 2 0
1620837407.005125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
options: 0
failed 2 0
1620837407.521125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
options: 0
failed 2 0
1620837407.521125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士
options: 0
failed 2 0
1620837407.521125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒
options: 0
failed 2 0
1620837407.521125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
options: 0
failed 2 0
1620837409.349125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
options: 0
failed 2 0
1620837409.349125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士
options: 0
failed 2 0
1620837409.349125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒
options: 0
failed 2 0
1620837409.349125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00020219
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B3111FE2-035F-460C-82B8-7660238F29D7}
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{B3111FE2-035F-460C-82B8-7660238F29D7}
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x00000128
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B3111FE2-035F-460C-82B8-7660238F29D7}
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{B3111FE2-035F-460C-82B8-7660238F29D7}
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00020219
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{C5E2255C-66FA-4187-8EB6-5176247C4723}
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{C5E2255C-66FA-4187-8EB6-5176247C4723}
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x0000012c
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{C5E2255C-66FA-4187-8EB6-5176247C4723}
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{C5E2255C-66FA-4187-8EB6-5176247C4723}
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00020219
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{06195811-1751-4699-A5D5-59D13013648B}
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{06195811-1751-4699-A5D5-59D13013648B}
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x00000134
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{06195811-1751-4699-A5D5-59D13013648B}
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{06195811-1751-4699-A5D5-59D13013648B}
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00020219
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\QingYun
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\QingYun
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x00000138
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\QingYun
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\QingYun
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00020219
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9FDC89C2-290D-4213-A148-AA98D4693981}
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{9FDC89C2-290D-4213-A148-AA98D4693981}
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x0000013c
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9FDC89C2-290D-4213-A148-AA98D4693981}
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{9FDC89C2-290D-4213-A148-AA98D4693981}
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B3111FE2-035F-460C-82B8-7660238F29D7}
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{B3111FE2-035F-460C-82B8-7660238F29D7}
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x00000024
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B3111FE2-035F-460C-82B8-7660238F29D7}
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{B3111FE2-035F-460C-82B8-7660238F29D7}
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{C5E2255C-66FA-4187-8EB6-5176247C4723}
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{C5E2255C-66FA-4187-8EB6-5176247C4723}
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x00000140
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{C5E2255C-66FA-4187-8EB6-5176247C4723}
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{C5E2255C-66FA-4187-8EB6-5176247C4723}
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{06195811-1751-4699-A5D5-59D13013648B}
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{06195811-1751-4699-A5D5-59D13013648B}
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x00000144
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{06195811-1751-4699-A5D5-59D13013648B}
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{06195811-1751-4699-A5D5-59D13013648B}
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\QingYun
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\QingYun
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x00000148
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\QingYun
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\QingYun
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00020219
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9FDC89C2-290D-4213-A148-AA98D4693981}
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{9FDC89C2-290D-4213-A148-AA98D4693981}
options: 0
failed 2 0
1620837395.052125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x0000014c
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9FDC89C2-290D-4213-A148-AA98D4693981}
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{9FDC89C2-290D-4213-A148-AA98D4693981}
options: 0
failed 2 0
1620837396.490125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
options: 0
failed 2 0
1620837396.490125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士
options: 0
failed 2 0
1620837396.490125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒
options: 0
failed 2 0
1620837396.490125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
options: 0
failed 2 0
1620837403.036125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
options: 0
failed 2 0
1620837403.036125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士
options: 0
failed 2 0
1620837403.036125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\百度杀毒
options: 0
failed 2 0
1620837403.036125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Kingsoft Internet Security
options: 0
failed 2 0
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1620837392.786125
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 268435456
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\cmd.exe" /c del /q /f "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\{E226DE21-FFBD-44CE-80CC-6C9C5F010908}\nvMultitask.exe"
cmdline cmd.exe /c del /q /f "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\{E226DE21-FFBD-44CE-80CC-6C9C5F010908}\nvMultitask.exe"
Executes one or more WMI queries which can be used to identify virtual machines (6 个事件)
wmi SELECT * FROM Win32_Processor WHERE (ProcessorId IS NOT NULL)
wmi SELECT * FROM Win32_BIOS WHERE (SerialNumber IS NOT NULL)
wmi SELECT * FROM Win32_PhysicalMemory
wmi SELECT * FROM Win32_DiskDrive WHERE (PNPDeviceID IS NOT NULL) AND (NOT (InterfaceType = 'USB'))
wmi SELECT * FROM Win32_SoundDevice WHERE (PNPDeviceID IS NOT NULL)
wmi SELECT * FROM Win32_NetworkAdapter WHERE (MACAddress IS NOT NULL) AND (NOT (PNPDeviceID LIKE 'ROOT%'))
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 37.139.21.175
Installs itself for autorun at Windows startup (2 个事件)
service_name LcScience service_path C:\Windows\System32\drivers\LcScience64.sys
service_name WaNdFilter service_path C:\Windows\System32\drivers\WaNdFilter64.sys
Creates or sets a registry key to a long series of bytes, possibly to store a binary or malware config (1 个事件)
Time & API Arguments Status Return Repeated
1620837421.583125
RegSetValueExW
key_handle: 0x00000264
value: ‰œ·}~î;ã,ƒ<78A5Ëéøˆ„ŸÀ/RkûðÿÖ眡Ž˜0À;‚ôö<¹¸\5îJºˆlÛ/Hƒ¹ð§§œ¥ŽŠœ0Á;ôî<¢¸R5ºJûˆ‘l›/ƒîðóâœèŽ‚˜0ˆ;×ôó<­¸5µJòˆ˜l›/ƒ²ð¶朵ŽØÂ0È;ôö<ª¸Q5âJˈálß/PƒËðϽœôŽÐÇ0Ø;Üô°<÷¸5íJ»ˆlÙ/Nƒ¹ð¢¿œ÷ŽÖÉ0Ø;Þô±<§¸5èJ¾ˆŠlÙ/Oƒ¼ð¢ºœþŽÖÀ0Ü;Øô°<ô¸5’J׈Žl×/Mƒ¿ð¢¾œöŽ£²0ß;Øô´<î¸c5€J»ˆ†l¬/Kƒ¼ðÒ½œ÷ŽÈ¥0±;Úô³<ñ¸5ïJ½ˆlÝ/Oƒ¼ð¥¿œòŽÐ×0˜;ôñ<°¸\5°J戃lÜ/Sƒ½ð¾¹œèŽÔ×0Ÿ;ôæ<±¸L5âJéˆÝl›/ƒùðõ¯œµŽ€…0±;Œôæ<¥¸T5ªJäˆÊlÒ/Mƒ©ðù眲Ž€ƒ0Œ;‰ôñ<þ¸5ùJüˆÇlŸ/ƒ²ðó圯Ž€Ÿ0š;Îôå<ª¸G5³JéˆËl/ƒçð­¸œàŽƒƒ0;„ôâ<¶¸[5¼Jàˆƒlß/"ƒ¼ð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð‰œÆŽåñ0î;èôƒ<ø55ßJˆˆ¾lï/}ƒð
regkey_r: stn0
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\tsKdx\misctsk\stn0
success 0 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Temp\{E226DE21-FFBD-44CE-80CC-6C9C5F010908}\nvMultitask.exe
Disables proxy possibly for traffic interception (2 个事件)
Time & API Arguments Status Return Repeated
1620837395.833125
RegSetValueExA
key_handle: 0x0000033c
value: 0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
success 0 0
1620837396.818125
RegSetValueExA
key_handle: 0x00000308
value: 0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
success 0 0
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1620837019.446521
SetWindowsHookExW
thread_identifier: 0
callback_function: 0x00000000ff35ae10
module_address: 0x00000000ff2b0000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 852287 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (29 个事件)
Time & API Arguments Status Return Repeated
1620837400.661125
RegSetValueExA
key_handle: 0x000003f0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620837400.661125
RegSetValueExA
key_handle: 0x000003f0
value: PˆÈeGG×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620837400.661125
RegSetValueExA
key_handle: 0x000003f0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620837400.661125
RegSetValueExW
key_handle: 0x000003f0
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620837400.677125
RegSetValueExA
key_handle: 0x00000404
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620837400.677125
RegSetValueExA
key_handle: 0x00000404
value: PˆÈeGG×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620837400.677125
RegSetValueExA
key_handle: 0x00000404
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620837400.974125
RegSetValueExA
key_handle: 0x00000440
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620837400.974125
RegSetValueExA
key_handle: 0x00000440
value: àJøeGG×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620837400.990125
RegSetValueExA
key_handle: 0x00000440
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620837400.990125
RegSetValueExW
key_handle: 0x00000440
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620837400.990125
RegSetValueExA
key_handle: 0x00000444
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620837400.990125
RegSetValueExA
key_handle: 0x00000444
value: àJøeGG×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620837400.990125
RegSetValueExA
key_handle: 0x00000444
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620837400.661125
RegSetValueExA
key_handle: 0x000003e4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620837400.661125
RegSetValueExA
key_handle: 0x000003e4
value: PˆÈeGG×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620837400.661125
RegSetValueExA
key_handle: 0x000003e4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620837400.661125
RegSetValueExW
key_handle: 0x000003e4
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620837400.661125
RegSetValueExA
key_handle: 0x000003f4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620837400.661125
RegSetValueExA
key_handle: 0x000003f4
value: PˆÈeGG×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620837400.661125
RegSetValueExA
key_handle: 0x000003f4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620837400.693125
RegSetValueExW
key_handle: 0x000003e0
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
1620837400.974125
RegSetValueExA
key_handle: 0x00000478
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620837400.974125
RegSetValueExA
key_handle: 0x00000478
value: àJøeGG×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620837400.974125
RegSetValueExA
key_handle: 0x00000478
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620837400.974125
RegSetValueExW
key_handle: 0x00000478
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620837400.974125
RegSetValueExA
key_handle: 0x0000047c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620837400.974125
RegSetValueExA
key_handle: 0x0000047c
value: àJøeGG×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620837400.974125
RegSetValueExA
key_handle: 0x0000047c
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2016-10-31 20:02:53

Imports

Library KERNEL32.dll:
0x57e164 HeapFree
0x57e168 HeapSize
0x57e16c GetProcessHeap
0x57e170 RaiseException
0x57e174 GetLastError
0x57e180 LoadResource
0x57e184 SizeofResource
0x57e188 lstrlenW
0x57e18c FindResourceW
0x57e190 FindResourceExW
0x57e194 MultiByteToWideChar
0x57e198 GetLocaleInfoW
0x57e19c GetNumberFormatW
0x57e1a0 WaitForSingleObject
0x57e1a8 CloseHandle
0x57e1ac GetTickCount
0x57e1b0 lstrcpyW
0x57e1b4 CreateProcessW
0x57e1b8 FreeResource
0x57e1bc GetModuleFileNameW
0x57e1c0 GetCommandLineW
0x57e1c4 WideCharToMultiByte
0x57e1c8 Sleep
0x57e1d4 TerminateThread
0x57e1d8 GetExitCodeThread
0x57e1dc ResumeThread
0x57e1e4 CreateSemaphoreW
0x57e1e8 CreateEventW
0x57e1ec lstrcmpiW
0x57e1f4 HeapAlloc
0x57e1f8 SetEvent
0x57e204 WriteConsoleW
0x57e208 SetStdHandle
0x57e21c GetModuleFileNameA
0x57e220 GetConsoleCP
0x57e224 SetFilePointerEx
0x57e228 ReadConsoleW
0x57e22c GetConsoleMode
0x57e230 GetStdHandle
0x57e234 GetCurrentThread
0x57e238 GetOEMCP
0x57e23c IsValidCodePage
0x57e240 GetModuleHandleExW
0x57e244 EnumSystemLocalesW
0x57e248 GetUserDefaultLCID
0x57e24c IsValidLocale
0x57e250 LCMapStringW
0x57e254 CompareStringW
0x57e258 GetTimeFormatW
0x57e25c GetDateFormatW
0x57e260 GetStartupInfoW
0x57e264 TlsGetValue
0x57e268 SetLastError
0x57e270 GetCPInfo
0x57e274 FatalAppExitA
0x57e278 VirtualQuery
0x57e27c VirtualProtect
0x57e280 VirtualAlloc
0x57e284 GetCommandLineA
0x57e288 LoadLibraryExW
0x57e28c ExitThread
0x57e290 ReleaseSemaphore
0x57e294 HeapReAlloc
0x57e298 RtlUnwind
0x57e2a0 GetStringTypeW
0x57e2a4 EncodePointer
0x57e2a8 HeapDestroy
0x57e2ac LockResource
0x57e2b0 DecodePointer
0x57e2b4 lstrcpynW
0x57e2b8 CreateDirectoryW
0x57e2bc CreateFileW
0x57e2c0 DeleteFileW
0x57e2c4 FindFirstFileW
0x57e2c8 FindNextFileW
0x57e2cc FindClose
0x57e2d0 SetFileAttributesW
0x57e2d4 RemoveDirectoryW
0x57e2d8 CopyFileW
0x57e2dc MoveFileW
0x57e2e0 MoveFileExW
0x57e2e4 OpenProcess
0x57e2e8 TerminateProcess
0x57e2ec LocalFree
0x57e2f0 WriteFile
0x57e2f4 GetCurrentProcess
0x57e2f8 LoadLibraryW
0x57e2fc GetProcAddress
0x57e300 GetModuleHandleW
0x57e304 GetCurrentProcessId
0x57e308 CreateThread
0x57e30c GetModuleHandleA
0x57e310 FreeLibrary
0x57e318 LocalAlloc
0x57e320 WinExec
0x57e324 GetFileAttributesW
0x57e330 GetComputerNameExW
0x57e338 SetPriorityClass
0x57e33c SetThreadPriority
0x57e340 GetVersionExW
0x57e344 GetSystemInfo
0x57e348 GetFileSize
0x57e34c ReadFile
0x57e350 GetFileSizeEx
0x57e354 LoadLibraryA
0x57e358 ReadProcessMemory
0x57e35c OpenThread
0x57e360 VirtualQueryEx
0x57e368 IsBadReadPtr
0x57e36c GetCurrentThreadId
0x57e370 OpenEventW
0x57e378 CreateMutexW
0x57e380 SetFilePointer
0x57e384 SetFileTime
0x57e388 IsBadWritePtr
0x57e38c TlsSetValue
0x57e390 CancelWaitableTimer
0x57e394 ResetEvent
0x57e398 GetTempPathW
0x57e39c GetTempFileNameW
0x57e3a4 SetWaitableTimer
0x57e3ac GetDiskFreeSpaceExW
0x57e3b0 SetEndOfFile
0x57e3b4 TlsAlloc
0x57e3b8 TlsFree
0x57e3bc GetLocalTime
0x57e3c0 GlobalAlloc
0x57e3c4 GlobalFree
0x57e3cc DeviceIoControl
0x57e3d0 SuspendThread
0x57e3e0 GetSystemTime
0x57e3e4 ReleaseMutex
0x57e3e8 GetFullPathNameW
0x57e3ec GetFullPathNameA
0x57e3f0 CreateFileA
0x57e3f4 HeapCompact
0x57e3fc MapViewOfFile
0x57e400 UnmapViewOfFile
0x57e408 UnlockFile
0x57e40c LockFile
0x57e410 OutputDebugStringW
0x57e414 UnlockFileEx
0x57e418 FormatMessageA
0x57e41c FormatMessageW
0x57e420 GetFileAttributesA
0x57e424 HeapCreate
0x57e428 HeapValidate
0x57e42c FlushFileBuffers
0x57e430 LockFileEx
0x57e434 GetDiskFreeSpaceW
0x57e438 CreateFileMappingA
0x57e43c CreateFileMappingW
0x57e440 GetDiskFreeSpaceA
0x57e444 OutputDebugStringA
0x57e448 GetVersionExA
0x57e44c GetTempPathA
0x57e450 AreFileApisANSI
0x57e454 DeleteFileA
0x57e458 GetACP
0x57e464 ExitProcess
0x57e46c GetFileType
0x57e470 DuplicateHandle
0x57e474 MulDiv
0x57e478 QueryDosDeviceW
0x57e47c IsDebuggerPresent
Library USER32.dll:
0x57e51c MessageBoxW
0x57e520 SendMessageTimeoutW
0x57e524 FindWindowExW
0x57e528 GetSystemMetrics
0x57e52c PostThreadMessageW
0x57e530 GetMessageW
0x57e534 TranslateMessage
0x57e538 DispatchMessageW
0x57e53c KillTimer
0x57e540 OffsetRect
0x57e544 InflateRect
0x57e548 UnionRect
0x57e54c wvsprintfW
0x57e550 SetCursor
0x57e554 LoadCursorW
0x57e558 GetKeyState
0x57e55c ReleaseDC
0x57e560 GetDC
0x57e564 GetClientRect
0x57e568 SetWindowPos
0x57e56c GetWindowLongW
0x57e570 SetWindowLongW
0x57e574 SetTimer
0x57e578 SetFocus
0x57e57c GetUpdateRect
0x57e580 BeginPaint
0x57e584 EndPaint
0x57e588 IsRectEmpty
0x57e58c InvalidateRect
0x57e590 GetWindowRect
0x57e594 MapWindowPoints
0x57e598 CreateWindowExW
0x57e59c ScreenToClient
0x57e5a0 GetCursorPos
0x57e5a4 GetFocus
0x57e5a8 SetCapture
0x57e5ac ReleaseCapture
0x57e5b0 PtInRect
0x57e5b4 GetParent
0x57e5b8 DefWindowProcW
0x57e5bc EnableWindow
0x57e5c0 GetMonitorInfoW
0x57e5c4 MonitorFromWindow
0x57e5c8 LoadImageW
0x57e5cc RegisterClassW
0x57e5d0 GetClassInfoExW
0x57e5d4 RegisterClassExW
0x57e5d8 CallWindowProcW
0x57e5dc SetPropW
0x57e5e0 GetPropW
0x57e5e4 AdjustWindowRectEx
0x57e5e8 GetMenu
0x57e5ec IntersectRect
0x57e5f0 IsIconic
0x57e5f4 IsZoomed
0x57e5f8 SetWindowRgn
0x57e5fc CreateCaret
0x57e600 ShowCaret
0x57e604 HideCaret
0x57e608 SetCaretPos
0x57e60c ClientToScreen
0x57e610 GetSysColor
0x57e614 FillRect
0x57e618 DrawTextW
0x57e61c SetRect
0x57e620 CharPrevW
0x57e624 SetWindowTextW
0x57e62c GetWindowTextW
0x57e630 InvalidateRgn
0x57e638 MoveWindow
0x57e63c CharNextW
0x57e640 IsWindowVisible
0x57e644 ShowWindow
0x57e648 DestroyWindow
0x57e64c PostQuitMessage
0x57e650 IsWindow
0x57e654 SendMessageW
0x57e658 wsprintfW
0x57e65c UnregisterClassW
0x57e660 PostMessageW
0x57e664 GetWindow
Library ADVAPI32.dll:
0x57e000 GetTokenInformation
0x57e004 RegQueryValueExW
0x57e008 RegDeleteValueW
0x57e00c OpenProcessToken
0x57e010 RegSetValueExW
0x57e018 CryptCreateHash
0x57e01c CryptReleaseContext
0x57e020 CryptHashData
0x57e024 CryptGetHashParam
0x57e028 CryptDestroyHash
0x57e02c OpenSCManagerW
0x57e030 OpenServiceW
0x57e034 ControlService
0x57e038 DeleteService
0x57e03c CloseServiceHandle
0x57e040 RegOpenKeyExW
0x57e044 RegCloseKey
0x57e04c SaferCloseLevel
0x57e050 SaferCreateLevel
0x57e058 DuplicateTokenEx
0x57e068 SetEntriesInAclW
0x57e070 FreeSid
0x57e074 GetUserNameW
0x57e078 RegOpenKeyW
0x57e07c RegEnumKeyExW
Library SHELL32.dll:
0x57e4ac
0x57e4b0 ShellExecuteExW
0x57e4b4 SHGetFolderPathW
0x57e4bc CommandLineToArgvW
0x57e4c0 ShellExecuteW
Library ole32.dll:
0x57e75c CoTaskMemFree
0x57e760 CoInitializeEx
0x57e768 CoSetProxyBlanket
0x57e76c CoCreateGuid
0x57e770 StringFromGUID2
0x57e774 OleLockRunning
0x57e778 CLSIDFromString
0x57e77c CLSIDFromProgID
0x57e780 CoCreateInstance
0x57e784 CoInitialize
0x57e788 CoUninitialize
Library OLEAUT32.dll:
0x57e488 VariantClear
0x57e48c VariantInit
0x57e490 SysAllocString
0x57e494 SysFreeString
Library FLTLIB.DLL:
0x57e0b0 FilterSendMessage
Library CRYPT32.dll:
0x57e090 CryptMsgGetParam
0x57e094 CertCloseStore
0x57e0a0 CertGetNameStringW
0x57e0a4 CryptQueryObject
0x57e0a8 CryptMsgClose
Library SHLWAPI.dll:
0x57e4cc SHGetValueW
0x57e4d0 SHDeleteValueW
0x57e4d4 PathFindFileNameW
0x57e4d8 PathCombineW
0x57e4dc SHGetValueA
0x57e4e4 UrlEscapeW
0x57e4e8 StrCmpIW
0x57e4ec SHSetValueW
0x57e4f0 PathGetDriveNumberW
0x57e4f4 SHDeleteKeyW
0x57e4f8 StrStrIW
0x57e4fc PathFileExistsW
0x57e500 PathMatchSpecW
0x57e504 SHRegGetPathW
0x57e508 PathAppendW
0x57e50c PathFindExtensionW
0x57e510 PathRemoveFileSpecW
0x57e514 PathIsDirectoryW
Library gdiplus.dll:
0x57e710 GdipAlloc
0x57e714 GdipFree
0x57e718 GdipDeleteBrush
0x57e71c GdiplusStartup
0x57e720 GdiplusShutdown
0x57e724 GdipCloneBrush
0x57e72c GdipDeleteFont
0x57e73c GdipDrawString
0x57e750 GdipDeleteGraphics
0x57e754 GdipCreateFromHDC
Library WININET.dll:
0x57e698 FtpGetFileSize
0x57e69c HttpQueryInfoW
0x57e6a0 HttpSendRequestExW
0x57e6a4 HttpOpenRequestW
0x57e6a8 InternetSetOptionA
0x57e6ac InternetConnectW
0x57e6b0 InternetOpenW
0x57e6bc InternetSetCookieW
0x57e6c4 InternetCrackUrlW
0x57e6cc InternetSetOptionW
0x57e6d4 FtpCommandW
0x57e6d8 InternetWriteFile
0x57e6dc HttpEndRequestW
0x57e6e0 InternetCloseHandle
0x57e6e4 InternetReadFileExA
0x57e6e8 InternetReadFile
0x57e6ec FtpOpenFileW
Library USERENV.dll:
Library WINTRUST.dll:
0x57e700 WinVerifyTrust
Library PSAPI.DLL:
0x57e49c EnumProcessModules
0x57e4a0 EnumProcesses
Library IPHLPAPI.DLL:
0x57e15c GetAdaptersInfo
Library VERSION.dll:
0x57e678 GetFileVersionInfoW
0x57e67c VerQueryValueW
Library COMCTL32.dll:
0x57e084 _TrackMouseEvent
0x57e088
Library GDI32.dll:
0x57e0bc BitBlt
0x57e0c0 RestoreDC
0x57e0c4 Rectangle
0x57e0c8 SetWindowOrgEx
0x57e0cc GetTextMetricsW
0x57e0d0 CreateRoundRectRgn
0x57e0d4 GetObjectA
0x57e0d8 GetDeviceCaps
0x57e0dc SelectClipRgn
0x57e0e0 GetClipBox
0x57e0e8 ExtSelectClipRgn
0x57e0ec CombineRgn
0x57e0f0 SaveDC
0x57e0f4 SetStretchBltMode
0x57e0f8 SetBkColor
0x57e0fc ExtTextOutW
0x57e100 CreateSolidBrush
0x57e104 CreatePenIndirect
0x57e108 MoveToEx
0x57e10c LineTo
0x57e110 RoundRect
0x57e114 SetBkMode
0x57e118 SetTextColor
0x57e11c GetCharABCWidthsW
0x57e124 TextOutW
0x57e128 SelectObject
0x57e130 CreateCompatibleDC
0x57e134 DeleteDC
0x57e138 DeleteObject
0x57e13c CreatePen
0x57e140 CreateFontIndirectW
0x57e144 GetStockObject
0x57e148 GetObjectW
0x57e14c StretchBlt
0x57e150 CreateDIBSection
0x57e154 GdiFlush

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49204 101.32.33.222 service.123juzi.com 80
192.168.56.101 49205 101.32.33.222 service.123juzi.com 80
192.168.56.101 49203 103.224.212.220 ww2.123juzi.net 80
192.168.56.101 49211 103.224.212.220 ww2.123juzi.net 80
192.168.56.101 49216 103.224.212.220 ww2.123juzi.net 80
192.168.56.101 49217 110.242.69.111 www.skycn.com 80
192.168.56.101 49221 110.242.69.111 www.skycn.com 80
192.168.56.101 49226 124.225.167.209 ocsp2.globalsign.com 80
192.168.56.101 49227 124.225.167.209 ocsp2.globalsign.com 80
192.168.56.101 49206 199.59.242.153 ww25.update.123juzi.net 80
192.168.56.101 49212 199.59.242.153 ww25.update.123juzi.net 80
192.168.56.101 49218 199.59.242.153 ww25.update.123juzi.net 80
192.168.56.101 49224 220.181.107.181 orange.hao123.com 80
192.168.56.101 49225 220.181.107.181 orange.hao123.com 443
192.168.56.101 49209 82.192.82.225 log.123juzi.net 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50433 114.114.114.114 53
192.168.56.101 50849 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 54260 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 55169 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 57367 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60911 114.114.114.114 53
192.168.56.101 61522 114.114.114.114 53
192.168.56.101 62144 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53

HTTP & HTTPS Requests

URI Data
http://service.123juzi.com/i?app_key=e131e8b51bc9c4bb395446794bfdcef9e115b082&device_id=00005ce80000063900001efb00001b03000006b3&sdk_version=16.02&begin_session=1&metrics=%7b%0a%22_os%22%3a%22Windows%207%22%2c%0a%22_device%22%3a%22PC%22%2c%0a%22_resolution%22%3a%22800x600%22%2c%0a%22_carrier%22%3a%22Free%22%2c%0a%22_app_version%22%3a%221.0.0.8%22%0a%7d 
GET /i?app_key=e131e8b51bc9c4bb395446794bfdcef9e115b082&device_id=00005ce80000063900001efb00001b03000006b3&sdk_version=16.02&begin_session=1&metrics=%7b%0a%22_os%22%3a%22Windows%207%22%2c%0a%22_device%22%3a%22PC%22%2c%0a%22_resolution%22%3a%22800x600%22%2c%0a%22_carrier%22%3a%22Free%22%2c%0a%22_app_version%22%3a%221.0.0.8%22%0a%7d HTTP/1.1
Accept: */*
Pragma: no-cache
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: service.123juzi.com
Connection: Close
http://opensoft.hao123.com/uploads/member/2013/1122/20131122090744528eae609f18b.jpg 
GET /uploads/member/2013/1122/20131122090744528eae609f18b.jpg HTTP/1.1
Accept: */*
Pragma: no-cache
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: opensoft.hao123.com
Connection: Close
http://ww25.123juzi.net/?subid1=20210512-1836-3654-b1b3-4399bfe049ad 
GET /?subid1=20210512-1836-3654-b1b3-4399bfe049ad HTTP/1.1
Accept: */*
Pragma: no-cache
Cache-Control: no-cache
Host: ww25.123juzi.net
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Connection: Close
Cookie: sid=292d8aae-b2fd-11eb-83e4-186fd25499ce
http://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBhyuElvTh7HbtMMiw%3D%3D 
GET /gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBhyuElvTh7HbtMMiw%3D%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp2.globalsign.com
http://update.123juzi.net/ntflp.php 
GET /ntflp.php HTTP/1.1
Accept: */*
Pragma: no-cache
Cache-Control: no-cache
Cookie: __tad=1620808593.6729357; sid=292d8aae-b2fd-11eb-83e4-186fd25499ce
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: update.123juzi.net
Connection: Close
http://ww2.123juzi.net/ 
GET / HTTP/1.1
Accept: */*
Pragma: no-cache
Cache-Control: no-cache
Host: ww2.123juzi.net
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Connection: Close
Cookie: sid=292d8aae-b2fd-11eb-83e4-186fd25499ce
http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAURO8EJH 
GET /rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAURO8EJH HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.globalsign.com
http://update.123juzi.net/update.php?genre=tsKdx&type=tsKdx_updateCheck&ver=3.2.0.1&cid=&umid=ABCA815BD1F0536ADC55EE293EDE7CD2&os=3&safe=0&ie=8&flash=&ck=A5B8646398DA57304D555CB797D51C66 
GET /update.php?genre=tsKdx&type=tsKdx_updateCheck&ver=3.2.0.1&cid=&umid=ABCA815BD1F0536ADC55EE293EDE7CD2&os=3&safe=0&ie=8&flash=&ck=A5B8646398DA57304D555CB797D51C66 HTTP/1.1
Accept: */*
Pragma: no-cache
Cache-Control: no-cache
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: update.123juzi.net
Connection: Close
http://ww25.update.123juzi.net/ntflp.php?subid1=20210512-1836-3822-8713-6a914b8c67aa 
GET /ntflp.php?subid1=20210512-1836-3822-8713-6a914b8c67aa HTTP/1.1
Accept: */*
Pragma: no-cache
Cache-Control: no-cache
Cookie: __tad=1620808593.6729357; sid=292d8aae-b2fd-11eb-83e4-186fd25499ce
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: ww25.update.123juzi.net
Connection: Close
http://ww25.update.123juzi.net/update.php?genre=tsKdx&type=tsKdx_updateCheck&ver=3.2.0.1&cid=&umid=ABCA815BD1F0536ADC55EE293EDE7CD2&os=3&safe=0&ie=8&flash=&ck=A5B8646398DA57304D555CB797D51C66&subid1=20210512-1836-33c2-9d41-e1f66e552aa8 
GET /update.php?genre=tsKdx&type=tsKdx_updateCheck&ver=3.2.0.1&cid=&umid=ABCA815BD1F0536ADC55EE293EDE7CD2&os=3&safe=0&ie=8&flash=&ck=A5B8646398DA57304D555CB797D51C66&subid1=20210512-1836-33c2-9d41-e1f66e552aa8 HTTP/1.1
Accept: */*
Pragma: no-cache
Cache-Control: no-cache
Host: ww25.update.123juzi.net
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Connection: Close
Cookie: __tad=1620808593.6729357

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.