12.8
0-day
2 个模型检测该样本为恶意!
重新分析
更多

d360d1872dfcf66e41634b40b4c08e7bc98b30be1010bf4c1d59fdb292e59e68

8de7e02702c453f6ce2db09bd40cc587.exe

分析耗时

126s

最近分析

文件大小

5.3MB
静态报毒 动态报毒 GAMEBOX
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20201107 6.0.6.653
Alibaba 20190527 0.3.0.5
Avast 20201107 20.10.5736.0
Baidu 20190318 1.0.0.2
Kingsoft 20201107 2013.8.14.323
Tencent 20201107 1.0.0.1
CrowdStrike 20190702 1.0
静态指标
Queries for the computername (11 个事件)
Time & API Arguments Status Return Repeated
1620971976.106374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620971976.106374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620971976.419374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620971976.419374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620971976.481374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620971976.497374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620971976.528374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620971976.544374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620971982.309374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620971982.309374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620971993.293626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
This executable is signed
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620971962.700374
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .ndata
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1620972003.449626
__exception__
stacktrace: 
newsclient+0x3f73 @ 0xd53f73
newsclient+0x4418 @ 0xd54418
newsclient+0x6905e @ 0xdb905e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1373456
registers.edi: 7
registers.eax: 1447909480
registers.ebp: 1373512
registers.edx: 22104
registers.ebx: 0
registers.esi: 4009824
registers.ecx: 10
exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45
exception.symbol: newsclient+0x578d8
exception.instruction: in eax, dx
exception.module: NewsClient.exe
exception.exception_code: 0xc0000096
exception.offset: 358616
exception.address: 0xda78d8
success 0 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:3510580334&cup2hreq=0cb19b08798a583f09aae14b718af64dc527d962433d33710858d03765a9282b
Performs some HTTP requests (10 个事件)
request GET http://trace2144.2144.cn/__box.gif?&account=boxsetup&pos=8de7e02702c453f6ce2db09bd40cc587.exe&time=20210514&hardserial=VB4d3bbc8a-fd72b187&key=02f643820e386a8016cb8de3cb57f4ef
request GET http://www.92wu.cn/soft/status?uni=bfc01162d8ae7db93d3f44328d51ea85&vm=0&status=aztj&sgsrf=0&qqmgr=0&safe=0&flash=0&flashNP=0&bdsfae=0&bdmgr=0
request GET http://gamebox.2144.cn/site/logout
request GET http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D
request GET http://crl.verisign.com/pca3.crl
request GET http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D
request GET http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEHiiu%2B6YtoOg%2FCWt4Azy3%2Bs%3D
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620942514&mv=m&mvi=1&pl=23&shardbypass=yes
request POST https://update.googleapis.com/service/update2?cup2key=10:3510580334&cup2hreq=0cb19b08798a583f09aae14b718af64dc527d962433d33710858d03765a9282b
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:3510580334&cup2hreq=0cb19b08798a583f09aae14b718af64dc527d962433d33710858d03765a9282b
Allocates read-write-execute memory (usually to unpack itself) (2 个事件)
Time & API Arguments Status Return Repeated
1620971966.419374
NtProtectVirtualMemory
process_identifier: 2868
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x10004000
success 0 0
1620972034.433751
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000006d70000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 个事件)
Time & API Arguments Status Return Repeated
1620971982.246751
GetDiskFreeSpaceExW
root_path: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Explorer
free_bytes_available: 19450650624
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
Creates executable files on the filesystem (30 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\msvcr100.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr6A01.tmp\BgWorker.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\Duilib.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr6A01.tmp\md5dll.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\2144游戏大厅\游戏大厅卸载.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr6A01.tmp\inetc.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\BoxUpdate.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\NewsClient.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\HardwareSerialNumber.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\WebProtect.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\GuardProcess.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\ADbox.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\gameUninst.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\IPCConnect.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr6A01.tmp\FindProcDLL.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\GamePlayer.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\WebGame.dll
file C:\Users\Administrator.Oskar-PC\Desktop\2144游戏大厅.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\GameCenter.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr6A01.tmp\nsis7z.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\ScreenShot.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\Helper.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\CBrowserCef.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\GameStart.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\msvcp100.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\FlashGame.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr6A01.tmp\System.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\2144游戏大厅\游戏大厅.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr6A01.tmp\nsisdt.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\AllRound.exe
Creates a shortcut to an executable file (6 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\2144游戏大厅\游戏大厅.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\2144游戏大厅.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\2144游戏大厅\游戏大厅卸载.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
file C:\Users\Administrator.Oskar-PC\Desktop\2144游戏大厅.lnk
Drops a binary and executes it (3 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\GameCenter.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\NewsClient.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\WebProtect.exe
Drops an executable to the user AppData folder (27 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\NewsClient.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\msvcp100.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\Duilib.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\GuardProcess.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\Helper.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr6A01.tmp\inetc.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr6A01.tmp\FindProcDLL.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\FlashGame.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\GameStart.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr6A01.tmp\nsisdt.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\AllRound.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr6A01.tmp\nsis7z.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\WebGame.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr6A01.tmp\md5dll.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr6A01.tmp\System.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\BoxUpdate.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\ScreenShot.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\HardwareSerialNumber.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\WebProtect.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsr6A01.tmp\BgWorker.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\CBrowserCef.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\GameCenter.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\ADbox.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\gameUninst.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\msvcr100.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\GamePlayer.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\IPCConnect.dll
Executes one or more WMI queries (3 个事件)
wmi SELECT * FROM Win32_BIOS
wmi SELECT * FROM Win32_BaseBoard
wmi SELECT * FROM Win32_DiskDrive
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (2 个事件)
File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 个事件)
VBA32 suspected of Trojan.Downloader.gen.h
ESET-NOD32 a variant of Win32/Adware.GameBox.A
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620971985.606374
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process gamecenter.exe
Queries for potentially installed applications (8 个事件)
Time & API Arguments Status Return Repeated
1620971966.309374
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\2144GameCenter
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\2144GameCenter
options: 0
failed 2 0
1620971990.121626
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Sogou Input
options: 0
failed 2 0
1620971990.121626
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX
regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX
options: 0
failed 2 0
1620971990.121626
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI
regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player NPAPI
options: 0
failed 2 0
1620971990.121626
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360安全卫士
regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\360安全卫士
options: 0
failed 2 0
1620971990.121626
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
options: 0
failed 2 0
1620971990.121626
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\百度软件管理
regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\百度软件管理
options: 0
failed 2 0
1620971990.121626
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士
regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\百度卫士
options: 0
failed 2 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1620972002.138001
NtTerminateProcess
status_code: 0x00000000
process_identifier: 796
process_handle: 0x000000dc
failed 0 0
1620972002.138001
NtTerminateProcess
status_code: 0x00000000
process_identifier: 796
process_handle: 0x000000dc
success 0 0
Executes one or more WMI queries which can be used to identify virtual machines (1 个事件)
wmi SELECT * FROM Win32_BIOS
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Installs itself for autorun at Windows startup (2 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GameBoxStratRun reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\GameCenter.exe" /runhide
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\NewsClientStratRun reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\2144GameBox\NewsClient.exe" /runhide
Attempts to modify browser security settings (5 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\GameCenter.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\GamePlayer.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_FORCE_DISABLE_UNTRUSTEDPROTOCOL\GamePlayer.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_USE_WEBOC_OMNAVIGATOR_IMPLEMENTATION\GamePlayer.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\GameCenter.exe
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)
Time & API Arguments Status Return Repeated
1620971988.231374
RegSetValueExA
key_handle: 0x00000480
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620971988.231374
RegSetValueExA
key_handle: 0x00000480
value: p(ðÉrH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620971988.231374
RegSetValueExA
key_handle: 0x00000480
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620971988.231374
RegSetValueExW
key_handle: 0x00000480
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620971988.231374
RegSetValueExA
key_handle: 0x00000498
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620971988.231374
RegSetValueExA
key_handle: 0x00000498
value: p(ðÉrH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620971988.231374
RegSetValueExA
key_handle: 0x00000498
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620971988.341374
RegSetValueExW
key_handle: 0x0000047c
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
1620971989.138374
RegSetValueExA
key_handle: 0x000004f4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620971989.138374
RegSetValueExA
key_handle: 0x000004f4
value: Ø|ÊrH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620971989.153374
RegSetValueExA
key_handle: 0x000004f4
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620971989.153374
RegSetValueExW
key_handle: 0x000004f4
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620971989.153374
RegSetValueExA
key_handle: 0x000004dc
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620971989.153374
RegSetValueExA
key_handle: 0x000004dc
value: Ø|ÊrH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620971989.153374
RegSetValueExA
key_handle: 0x000004dc
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
Network activity contains more than one unique useragent (2 个事件)
process 8de7e02702c453f6ce2db09bd40cc587.exe useragent NSIS_Inetc (Mozilla)
process GameStart.exe useragent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 7.0; InfoPath.2; .NET4.0C; .NET4.0E)
Detects VMWare through the in instruction feature (1 个事件)
Time & API Arguments Status Return Repeated
1620972003.449626
__exception__
stacktrace: 
newsclient+0x3f73 @ 0xd53f73
newsclient+0x4418 @ 0xd54418
newsclient+0x6905e @ 0xdb905e
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1373456
registers.edi: 7
registers.eax: 1447909480
registers.ebp: 1373512
registers.edx: 22104
registers.ebx: 0
registers.esi: 4009824
registers.ecx: 10
exception.instruction_r: ed 81 fb 68 58 4d 56 0f 94 45 e4 5b 59 5a c7 45
exception.symbol: newsclient+0x578d8
exception.instruction: in eax, dx
exception.module: NewsClient.exe
exception.exception_code: 0xc0000096
exception.offset: 358616
exception.address: 0xda78d8
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2009-12-06 06:50:46

Imports

Library KERNEL32.dll:
0x407060 CompareFileTime
0x407064 SearchPathA
0x407068 GetShortPathNameA
0x40706c GetFullPathNameA
0x407070 MoveFileA
0x407078 GetFileAttributesA
0x40707c GetLastError
0x407080 CreateDirectoryA
0x407084 SetFileAttributesA
0x407088 Sleep
0x40708c GetTickCount
0x407090 CreateFileA
0x407094 GetFileSize
0x407098 GetModuleFileNameA
0x40709c GetCurrentProcess
0x4070a0 CopyFileA
0x4070a4 ExitProcess
0x4070a8 SetFileTime
0x4070ac GetTempPathA
0x4070b0 GetCommandLineA
0x4070b4 SetErrorMode
0x4070b8 LoadLibraryA
0x4070bc lstrcpynA
0x4070c0 GetDiskFreeSpaceA
0x4070c4 GlobalUnlock
0x4070c8 GlobalLock
0x4070cc CreateThread
0x4070d0 CreateProcessA
0x4070d4 RemoveDirectoryA
0x4070d8 GetTempFileNameA
0x4070dc lstrlenA
0x4070e0 lstrcatA
0x4070e4 GetSystemDirectoryA
0x4070e8 GetVersion
0x4070ec CloseHandle
0x4070f0 lstrcmpiA
0x4070f4 lstrcmpA
0x4070fc GlobalFree
0x407100 GlobalAlloc
0x407104 WaitForSingleObject
0x407108 GetExitCodeProcess
0x40710c GetModuleHandleA
0x407110 LoadLibraryExA
0x407114 GetProcAddress
0x407118 FreeLibrary
0x40711c MultiByteToWideChar
0x407128 WriteFile
0x40712c ReadFile
0x407130 MulDiv
0x407134 SetFilePointer
0x407138 FindClose
0x40713c FindNextFileA
0x407140 FindFirstFileA
0x407144 DeleteFileA
Library USER32.dll:
0x40716c EndDialog
0x407170 ScreenToClient
0x407174 GetWindowRect
0x407178 EnableMenuItem
0x40717c GetSystemMenu
0x407180 SetClassLongA
0x407184 IsWindowEnabled
0x407188 SetWindowPos
0x40718c GetSysColor
0x407190 GetWindowLongA
0x407194 SetCursor
0x407198 LoadCursorA
0x40719c CheckDlgButton
0x4071a0 GetMessagePos
0x4071a4 LoadBitmapA
0x4071a8 CallWindowProcA
0x4071ac IsWindowVisible
0x4071b0 CloseClipboard
0x4071b4 SetClipboardData
0x4071b8 EmptyClipboard
0x4071bc RegisterClassA
0x4071c0 TrackPopupMenu
0x4071c4 AppendMenuA
0x4071c8 CreatePopupMenu
0x4071cc GetSystemMetrics
0x4071d0 SetDlgItemTextA
0x4071d4 GetDlgItemTextA
0x4071d8 MessageBoxIndirectA
0x4071dc CharPrevA
0x4071e0 DispatchMessageA
0x4071e4 PeekMessageA
0x4071e8 DestroyWindow
0x4071ec CreateDialogParamA
0x4071f0 SetTimer
0x4071f4 SetWindowTextA
0x4071f8 PostQuitMessage
0x4071fc SetForegroundWindow
0x407200 wsprintfA
0x407204 SendMessageTimeoutA
0x407208 FindWindowExA
0x407210 CreateWindowExA
0x407214 GetClassInfoA
0x407218 DialogBoxParamA
0x40721c CharNextA
0x407220 OpenClipboard
0x407224 ExitWindowsEx
0x407228 IsWindow
0x40722c GetDlgItem
0x407230 SetWindowLongA
0x407234 LoadImageA
0x407238 GetDC
0x40723c EnableWindow
0x407240 InvalidateRect
0x407244 SendMessageA
0x407248 DefWindowProcA
0x40724c BeginPaint
0x407250 GetClientRect
0x407254 FillRect
0x407258 DrawTextA
0x40725c EndPaint
0x407260 ShowWindow
Library GDI32.dll:
0x40703c SetBkColor
0x407040 GetDeviceCaps
0x407044 DeleteObject
0x407048 CreateBrushIndirect
0x40704c CreateFontIndirectA
0x407050 SetBkMode
0x407054 SetTextColor
0x407058 SelectObject
Library SHELL32.dll:
0x407154 SHBrowseForFolderA
0x407158 SHGetFileInfoA
0x40715c ShellExecuteA
0x407160 SHFileOperationA
Library ADVAPI32.dll:
0x407000 RegQueryValueExA
0x407004 RegSetValueExA
0x407008 RegEnumKeyA
0x40700c RegEnumValueA
0x407010 RegOpenKeyExA
0x407014 RegDeleteKeyA
0x407018 RegDeleteValueA
0x40701c RegCloseKey
0x407020 RegCreateKeyExA
Library COMCTL32.dll:
0x407028 ImageList_AddMasked
0x40702c ImageList_Destroy
0x407030
0x407034 ImageList_Create
Library ole32.dll:
0x407278 CoTaskMemFree
0x40727c OleInitialize
0x407280 OleUninitialize
0x407284 CoCreateInstance
Library VERSION.dll:
0x40726c GetFileVersionInfoA
0x407270 VerQueryValueA

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49208 117.18.237.29 crl.verisign.com 80
192.168.56.101 49260 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49219 203.208.41.66 update.googleapis.com 443
192.168.56.101 49199 212.64.117.195 www.92wu.cn 80
192.168.56.101 49184 222.73.113.34 trace2144.2144.cn 80
192.168.56.101 49204 222.73.113.60 gamebox.2144.cn 80
192.168.56.101 49207 23.4.43.27 sv.symcd.com 80
192.168.56.101 49209 23.4.43.27 sv.symcd.com 80
192.168.56.101 49210 23.4.43.27 sv.symcd.com 80
192.168.56.101 49266 58.63.233.66 r1---sn-j5o76n7l.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50433 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 55169 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62144 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://gamebox.2144.cn/site/logout 
GET /site/logout HTTP/1.1
X-2144-Flag: source=2144gambox;ver=4.1.1.122;pos=8de7e02702c453f6ce2db09bd40cc587.exe
Content-Type: application/x-www-form-urlencoded
x-requested-with: keep-alive
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 7.0; InfoPath.2; .NET4.0C; .NET4.0E)
Host: gamebox.2144.cn
http://r1---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620942514&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.99&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1620942514&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7l.gvt1.com
http://crl.verisign.com/pca3.crl 
GET /pca3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com
http://trace2144.2144.cn/__box.gif?&account=boxsetup&pos=8de7e02702c453f6ce2db09bd40cc587.exe&time=20210514&hardserial=VB4d3bbc8a-fd72b187&key=02f643820e386a8016cb8de3cb57f4ef 
GET /__box.gif?&account=boxsetup&pos=8de7e02702c453f6ce2db09bd40cc587.exe&time=20210514&hardserial=VB4d3bbc8a-fd72b187&key=02f643820e386a8016cb8de3cb57f4ef HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: trace2144.2144.cn
Connection: Keep-Alive
Cache-Control: no-cache
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
http://www.92wu.cn/soft/status?uni=bfc01162d8ae7db93d3f44328d51ea85&vm=0&status=aztj&sgsrf=0&qqmgr=0&safe=0&flash=0&flashNP=0&bdsfae=0&bdmgr=0 
GET /soft/status?uni=bfc01162d8ae7db93d3f44328d51ea85&vm=0&status=aztj&sgsrf=0&qqmgr=0&safe=0&flash=0&flashNP=0&bdsfae=0&bdmgr=0 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
Accept-Encoding: default
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 7.0; InfoPath.2; .NET4.0C; .NET4.0E)
Host: www.92wu.cn
http://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X%2B%2BhEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEBsJO3hglto3u6RRlEbIlng%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: s2.symcb.com
http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEHiiu%2B6YtoOg%2FCWt4Azy3%2Bs%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEHiiu%2B6YtoOg%2FCWt4Azy3%2Bs%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sv.symcd.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.