SmartHawk

17.8

0-day

56 个模型检测该样本为恶意！

重新分析

下载样本

8a6358426543c2a66c3bb116cf5a8cdefa04ba41463c4c05363bb03521f860ee

90d2651d7c671582c6674de25da0127b.exe

分析耗时

91s

最近分析

文件大小

392.0KB

静态报毒动态报毒 100% 66C98U5XYII A + TROJ AI SCORE=80 AIDETECTVM ATRAPS BDJL BLOCKER BSCOPE CHINA CONFIDENCE ELDORADO GENASA GENCIRC GENERICRXJA GENETIC GGBJBZ HIGH CONFIDENCE INVADER KCLOUD KVMH017 MALICIOUS PE MALWARE1 NCA@8M98I8 QVM20 RLW8FKXCJGM SCORE SHIFU SHIZ SIGGEN9 STATIC AI UNSAFE YQZ@XYWZVJD 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanSpy:Win32/Invader.29870141	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Shifu-B [Trj]	20201210	21.1.5827.0
Kingsoft	Win32.Heur.KVMH017.a.(kcloud)	20201211	2017.9.26.565
McAfee	GenericRXJA-YC!90D2651D7C67	20201211	6.0.6.653
Tencent	Malware.Win32.Gencirc.10b0780b	20201211	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619712156.532249 GetComputerNameA	computer_name: OSKAR-PC	success	1	0
1619712215.609499 GetComputerNameA	computer_name: OSKAR-PC	success	1	0

Command line console output was observed (9 个事件)

Time & API	Arguments	Status	Return
1619712157.219626 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1619712157.234626 WriteConsoleW	buffer: echo console_handle: 0x00000007	success	1
1619712157.234626 WriteConsoleW	buffer: yabaqxbdnsxtnui console_handle: 0x00000007	success	1
1619712157.234626 WriteConsoleW	buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\90d2651d7c671582c6674de25da0127b.exe" console_handle: 0x00000007	success	1
1619712157.359626 WriteConsoleW	buffer: 另一个程序正在使用此文件，进程无法访问。 console_handle: 0x0000000b	success	1
1619712157.406626 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1619712157.422626 WriteConsoleW	buffer: del console_handle: 0x00000007	success	1
1619712157.422626 WriteConsoleW	buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\tytF089.tmp.bat" console_handle: 0x00000007	success	1
1619712157.640626 WriteConsoleW	buffer: 找不到批处理文件。 console_handle: 0x0000000b	success	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallDate

This executable has a PDB path (1 个事件)

pdb_path

Z:\coding\project\main\result\result.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686141.318065 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 2851 个事件)

Time & API	Arguments	Status
1619686141.536065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.536065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.536065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.536065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.536065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.536065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.536065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.536065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.536065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.536065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.536065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006b4000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006bd000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006bd000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006bd000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006bd000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006bd000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006bd000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006bd000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006bd000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006bd000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006bd000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006bd000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006bd000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006bd000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006bd000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006bd000	success
1619686141.552065 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x006bd000	success

Checks for known Chinese AV sofware registry keys (1 个事件)

regkey

.*rising

Creates executable files on the filesystem (2 个事件)

file	C:\ProgramData\2bd0bd6f8j.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\tytF089.tmp.bat

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\tytF089.tmp.bat

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686142.583065 ShellExecuteExW	parameters: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\90d2651d7c671582c6674de25da0127b.exe" filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\tytF089.tmp.bat filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\tytF089.tmp.bat show_type: 0	success	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (7 个事件)

Time & API	Arguments	Status	Return
1619712157.610249 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000520 process_identifier: 3120	success	1
1619712157.610249 Process32NextW	process_name: snapshot_handle: 0x00000520 process_identifier: 1966308433	failed	0
1619712187.016249 Process32NextW	process_name: dllhost.exe snapshot_handle: 0x00000450 process_identifier: 3476	success	1
1619712187.016249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 1966262555	failed	0
1619712192.704249 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000450 process_identifier: 3540	success	1
1619712210.970249 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000450 process_identifier: 3648	success	1
1619712213.828499 Process32NextW	process_name: svchost.exe snapshot_handle: 0x0000017c process_identifier: 3720	success	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619712157.345249 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.93472237364679

section

{'size_of_data': '0x00025200', 'virtual_address': '0x00006000', 'entropy': 7.93472237364679, 'name': '.data', 'virtual_size': '0x000256d4'}

description

A section with a high entropy has been found

entropy

0.9054878048780488

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 94 个事件)

Time & API	Arguments	Status
1619712159.985249 Process32NextW	process_name: snapshot_handle: 0x00000548 process_identifier: 0	failed
1619712160.501249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712161.016249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712161.532249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712162.063249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712162.579249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712163.110249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712163.626249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712164.141249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712164.657249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712165.188249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712165.704249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712166.235249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712166.766249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712167.298249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712167.798249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712168.313249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712168.829249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712169.345249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712169.860249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712170.376249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712170.891249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712171.407249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712171.923249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712172.423249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712172.954249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712173.485249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712173.985249 Process32NextW	process_name: snapshot_handle: 0x00000548 process_identifier: 0	failed
1619712174.501249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712175.016249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712175.532249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712176.063249 Process32NextW	process_name: snapshot_handle: 0x00000548 process_identifier: 0	failed
1619712176.579249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712177.095249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712177.595249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712178.110249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712178.626249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712179.157249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712179.673249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712180.188249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712180.704249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712181.220249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712181.766249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712182.282249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712182.891249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712183.407249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712183.923249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712184.454249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712184.970249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed
1619712185.470249 Process32NextW	process_name: snapshot_handle: 0x00000450 process_identifier: 0	failed

Created a process named as a common system process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686138.240065 CreateProcessInternalW	thread_identifier: 2340 thread_handle: 0x000000a8 process_identifier: 2316 current_directory: filepath: C:\Windows\System32\svchost.exe track: 1 command_line: C:\ProgramData\2bd0bd6f8j.exe filepath_r: C:\Windows\system32\svchost.exe stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) process_handle: 0x000000b4 inherit_handles: 0	success	1	0

Uses Windows utilities for basic Windows functionality (1 个事件)

cmdline

C:\Users\Administrator.Oskar-PC\AppData\Local\tytF089.tmp.bat "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\90d2651d7c671582c6674de25da0127b.exe"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (8 个事件)

Time & API	Arguments	Status
1619686138.240065 NtAllocateVirtualMemory	process_identifier: 2316 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000000b4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000b0000	success
1619686138.927065 NtProtectVirtualMemory	process_identifier: 2316 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000000b4 base_address: 0x00280000	success
1619712155.766249 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000250 base_address: 0x02fb0000	success
1619712157.673249 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000534 base_address: 0x021d0000	success
1619712157.735249 NtProtectVirtualMemory	process_identifier: 3120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000538 base_address: 0x00450000	success
1619712192.751249 NtProtectVirtualMemory	process_identifier: 3540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000520 base_address: 0x00320000	success
1619712211.095249 NtProtectVirtualMemory	process_identifier: 3648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000530 base_address: 0x00320000	success
1619712216.765499 NtProtectVirtualMemory	process_identifier: 3884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000510 base_address: 0x00450000	success

Attempts to identify installed AV products by registry key (19 个事件)

registry	HKEY_LOCAL_MACHINE\Software\Avg
registry	HKEY_LOCAL_MACHINE\Software\AVAST Software\Avast
registry	HKEY_LOCAL_MACHINE\Software\Avira
registry	HKEY_LOCAL_MACHINE\Software\Bitdefender
registry	HKEY_LOCAL_MACHINE\Software\Coranti
registry	HKEY_LOCAL_MACHINE\Software\Data Fellows\F-Secure
registry	HKEY_LOCAL_MACHINE\Software\Doctor Web
registry	HKEY_LOCAL_MACHINE\Software\Eset\Nod
registry	HKEY_LOCAL_MACHINE\Software\G Data
registry	HKEY_LOCAL_MACHINE\Software\Symantec
registry	HKEY_LOCAL_MACHINE\Software\KasperskyLab\protected
registry	HKEY_LOCAL_MACHINE\Software\Network Associates\TVD
registry	HKEY_LOCAL_MACHINE\Software\Panda Software
registry	HKEY_LOCAL_MACHINE\Software\rising
registry	HKEY_LOCAL_MACHINE\Software\Softed\ViGUARD
registry	HKEY_LOCAL_MACHINE\Software\Sophos
registry	HKEY_LOCAL_MACHINE\Software\TrendMicro
registry	HKEY_LOCAL_MACHINE\Software\VBA32
registry	HKEY_LOCAL_MACHINE\Software\Zone Labs\ZoneAlarm

Installs itself for autorun at Windows startup (1 个事件)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent5

reg_value

rundll32.exe shell32.dll, ShellExec_RunDLL C:\PROGRA~3\2BD0BD~1.EXE

Attempts to access Bitcoin/ALTCoin wallets (2 个事件)

file	C:\Users\Administrator.Oskar-PClitecoin\wallet.dat
file	C:\Users\Administrator.Oskar-PCbitcoin\wallet.dat

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\tytF089.tmp.bat

Disables proxy possibly for traffic interception (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619712156.329249 RegSetValueExA	key_handle: 0x0000037c value: 0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	success	0	0
1619712214.734499 RegSetValueExA	key_handle: 0x000003c0 value: 0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	success	0	0

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (12 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2316 created a remote thread in non-child process 472
Process injection	Process 2316 created a remote thread in non-child process 1108
Process injection	Process 2316 created a remote thread in non-child process 3120
Process injection	Process 2316 created a remote thread in non-child process 3540
Process injection	Process 2316 created a remote thread in non-child process 3648
Process injection	Process 3540 created a remote thread in non-child process 3884
1619712155.766249 CreateRemoteThread	thread_identifier: 0 process_identifier: 472 function_address: 0x02fb114d flags: 0 process_handle: 0x00000250 parameter: 0x00000000 stack_size: 0	success	596	0
1619712157.688249 CreateRemoteThread	thread_identifier: 0 process_identifier: 1108 function_address: 0x021d114d flags: 0 process_handle: 0x00000534 parameter: 0x00000000 stack_size: 0	success	1348	0
1619712158.141249 CreateRemoteThread	thread_identifier: 0 process_identifier: 3120 function_address: 0x0045114d flags: 0 process_handle: 0x00000538 parameter: 0x00000000 stack_size: 0	success	1344	0
1619712193.016249 CreateRemoteThread	thread_identifier: 0 process_identifier: 3540 function_address: 0x0032114d flags: 0 process_handle: 0x00000520 parameter: 0x00000000 stack_size: 0	success	1328	0
1619712212.329249 CreateRemoteThread	thread_identifier: 0 process_identifier: 3648 function_address: 0x0032114d flags: 0 process_handle: 0x00000530 parameter: 0x00000000 stack_size: 0	failed	0	0
1619712217.375499 CreateRemoteThread	thread_identifier: 0 process_identifier: 3884 function_address: 0x0045114d flags: 0 process_handle: 0x00000510 parameter: 0x00000000 stack_size: 0	success	1304	0

Manipulates memory of a non-child process indicative of process injection (18 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2316 manipulating memory of non-child process 472
Process injection	Process 2316 manipulating memory of non-child process 1108
Process injection	Process 2316 manipulating memory of non-child process 3120
Process injection	Process 2316 manipulating memory of non-child process 3540
Process injection	Process 2316 manipulating memory of non-child process 3648
Process injection	Process 3540 manipulating memory of non-child process 3884
1619712155.720249 NtAllocateVirtualMemory	process_identifier: 472 region_size: 483328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000250 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02fb0000	success	0	0
1619712155.766249 NtProtectVirtualMemory	process_identifier: 472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000250 base_address: 0x02fb0000	success	0	0
1619712157.641249 NtAllocateVirtualMemory	process_identifier: 1108 region_size: 483328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000534 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x021d0000	success	0	0
1619712157.673249 NtProtectVirtualMemory	process_identifier: 1108 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000534 base_address: 0x021d0000	success	0	0
1619712157.704249 NtAllocateVirtualMemory	process_identifier: 3120 region_size: 483328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000538 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00450000	success	0	0
1619712157.735249 NtProtectVirtualMemory	process_identifier: 3120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000538 base_address: 0x00450000	success	0	0
1619712192.720249 NtAllocateVirtualMemory	process_identifier: 3540 region_size: 483328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000520 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00320000	success	0	0
1619712192.751249 NtProtectVirtualMemory	process_identifier: 3540 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000520 base_address: 0x00320000	success	0	0
1619712210.985249 NtAllocateVirtualMemory	process_identifier: 3648 region_size: 483328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000530 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00320000	success	0	0
1619712211.095249 NtProtectVirtualMemory	process_identifier: 3648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000530 base_address: 0x00320000	success	0	0
1619712216.734499 NtAllocateVirtualMemory	process_identifier: 3884 region_size: 483328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000510 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00450000	success	0	0
1619712216.765499 NtProtectVirtualMemory	process_identifier: 3884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000510 base_address: 0x00450000	success	0	0

Potential code injection by writing to the memory of another process (14 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2316 injected into non-child 472
Process injection	Process 2316 injected into non-child 1108
Process injection	Process 2316 injected into non-child 3120
Process injection	Process 2316 injected into non-child 3540
Process injection	Process 2316 injected into non-child 3648
Process injection	Process 3540 injected into non-child 3884
1619686138.240065 WriteProcessMemory	process_identifier: 2316 buffer: jÿhÿ5vÃ process_handle: 0x000000b4 base_address: 0x000b0000	success	1	0
1619686138.880065 WriteProcessMemory	process_identifier: 2316 buffer: ÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $º¼_þbÒþbÒþbÒ÷GÿbÒm,JÿbÒAËübÒþbÒýbÒAÿbÒ÷VÿbÒ÷A×bÒþbÓ¸cÒåÿ}¹bÒåÿOÿbÒRichþbÒ(tºLbåUà! äìM@¤'\|ð¤.text¬ÃÄ `codeAà È `.rdataÎABè@@.data$PB*@À.reloc°ðl@B process_handle: 0x000000b4 base_address: 0x00280000	success	1	0
1619712155.720249 WriteProcessMemory	process_identifier: 472 buffer: ÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $º¼_þbÒþbÒþbÒ÷GÿbÒm,JÿbÒAËübÒþbÒýbÒAÿbÒ÷VÿbÒ÷A×bÒþbÓ¸cÒåÿ}¹bÒåÿOÿbÒRichþbÒ(tºLbåUà! äìM@¤'\|ð¤.text¬ÃÄ `codeAà È `.rdataÎABè@@.data$PB*@À.reloc°ðl@B process_handle: 0x00000250 base_address: 0x02fb0000	success	1	0
1619712157.641249 WriteProcessMemory	process_identifier: 1108 buffer: ÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $º¼_þbÒþbÒþbÒ÷GÿbÒm,JÿbÒAËübÒþbÒýbÒAÿbÒ÷VÿbÒ÷A×bÒþbÓ¸cÒåÿ}¹bÒåÿOÿbÒRichþbÒ(tºLbåUà! äìM@¤'\|ð¤.text¬ÃÄ `codeAà È `.rdataÎABè@@.data$PB*@À.reloc°ðl@B process_handle: 0x00000534 base_address: 0x021d0000	success	1	0
1619712157.704249 WriteProcessMemory	process_identifier: 3120 buffer: ÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $º¼_þbÒþbÒþbÒ÷GÿbÒm,JÿbÒAËübÒþbÒýbÒAÿbÒ÷VÿbÒ÷A×bÒþbÓ¸cÒåÿ}¹bÒåÿOÿbÒRichþbÒ(tºLbåUà! äìM@¤'\|ð¤.text¬ÃÄ `codeAà È `.rdataÎABè@@.data$PB*@À.reloc°ðl@B process_handle: 0x00000538 base_address: 0x00450000	success	1	0
1619712192.720249 WriteProcessMemory	process_identifier: 3540 buffer: ÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $º¼_þbÒþbÒþbÒ÷GÿbÒm,JÿbÒAËübÒþbÒýbÒAÿbÒ÷VÿbÒ÷A×bÒþbÓ¸cÒåÿ}¹bÒåÿOÿbÒRichþbÒ(tºLbåUà! äìM@¤'\|ð¤.text¬ÃÄ `codeAà È `.rdataÎABè@@.data$PB*@À.reloc°ðl@B process_handle: 0x00000520 base_address: 0x00320000	success	1	0
1619712210.985249 WriteProcessMemory	process_identifier: 3648 buffer: ÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $º¼_þbÒþbÒþbÒ÷GÿbÒm,JÿbÒAËübÒþbÒýbÒAÿbÒ÷VÿbÒ÷A×bÒþbÓ¸cÒåÿ}¹bÒåÿOÿbÒRichþbÒ(tºLbåUà! äìM@¤'\|ð¤.text¬ÃÄ `codeAà È `.rdataÎABè@@.data$PB*@À.reloc°ðl@B process_handle: 0x00000530 base_address: 0x00320000	success	1	0
1619712216.734499 WriteProcessMemory	process_identifier: 3884 buffer: ÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $º¼_þbÒþbÒþbÒ÷GÿbÒm,JÿbÒAËübÒþbÒýbÒAÿbÒ÷VÿbÒ÷A×bÒþbÓ¸cÒåÿ}¹bÒåÿOÿbÒRichþbÒ(tºLbåUà! äìM@¤'\|ð¤.text¬ÃÄ `codeAà È `.rdataÎABè@@.data$PB*@À.reloc°ðl@B process_handle: 0x00000510 base_address: 0x00450000	success	1	0

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1619712159.954249 RegSetValueExA	key_handle: 0x0000053c value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619712159.954249 RegSetValueExA	key_handle: 0x0000053c value: ,Dï÷<× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619712159.954249 RegSetValueExA	key_handle: 0x0000053c value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619712159.954249 RegSetValueExW	key_handle: 0x0000053c value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619712159.954249 RegSetValueExA	key_handle: 0x00000520 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619712159.954249 RegSetValueExA	key_handle: 0x00000520 value: ,Dï÷<× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619712159.954249 RegSetValueExA	key_handle: 0x00000520 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619712160.048249 RegSetValueExW	key_handle: 0x00000508 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

Network activity contains more than one unique useragent (2 个事件)

process	svchost.exe				useragent	Internal
process	svchost.exe				useragent	Mozilla/5.0 (Windows; U; Windows NT 5.2 x64; en-US; rv:1.9a1) Gecko/20061007 Minefield/3.0a1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 472 called NtSetContextThread to modify thread in remote process 2316
1619686138.240065 NtSetContextThread	thread_handle: 0x000000a8 registers.eip: 2010382788 registers.esp: 2619840 registers.edi: 0 registers.eax: 720896 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2316	success	0	0

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2015-09-01 16:30:23

Imports

Library KERNEL32.dll:

• 0x40402c GetLastError

• 0x404030 CloseHandle

• 0x404034 GetModuleFileNameW

• 0x404038 DeleteFileA

• 0x40403c Sleep

• 0x404040 GetProcessHeap

• 0x404044 WaitForSingleObject

• 0x404048 HeapFree

• 0x40404c HeapAlloc

• 0x404050 GetCommandLineW

• 0x404054 LocalFree

• 0x404058 GetCurrentProcessId

• 0x40405c GetVersionExA

• 0x404060 LocalAlloc

• 0x404064 LoadLibraryA

• 0x404068 FreeLibrary

• 0x40406c GetModuleHandleA

• 0x404070 GetProcAddress

• 0x404074 GetModuleFileNameA

• 0x404078 GetVersionExW

• 0x40407c GetSystemWindowsDirectoryA

• 0x404080 GlobalFindAtomA

• 0x404084 ExpandEnvironmentStringsA

• 0x404088 GetCurrentProcess

• 0x40408c GlobalAddAtomA

• 0x404090 SetErrorMode

• 0x404094 lstrcpynA

• 0x404098 ExitProcess

• 0x40409c GetTickCount

• 0x4040a0 Module32Next

• 0x4040a4 GlobalMemoryStatusEx

• 0x4040a8 VirtualProtectEx

• 0x4040ac VirtualAlloc

• 0x4040b0 Module32First

• 0x4040b4 GetExitCodeProcess

• 0x4040b8 CreateRemoteThread

• 0x4040bc VirtualFree

• 0x4040c0 GetThreadContext

• 0x4040c4 CreateFileA

• 0x4040c8 SetThreadContext

• 0x4040cc OpenProcess

• 0x4040d0 TerminateThread

• 0x4040d4 CreateProcessA

• 0x4040d8 TerminateProcess

• 0x4040dc FlushInstructionCache

• 0x4040e0 GetShortPathNameA

• 0x4040e4 GetHandleInformation

• 0x4040e8 VirtualAllocEx

• 0x4040ec CreateToolhelp32Snapshot

• 0x4040f0 WriteProcessMemory

• 0x4040f4 ResumeThread

• 0x4040f8 CreateThread

• 0x4040fc WriteFile

• 0x404100 ReadFile

• 0x404104 GetFileSizeEx

• 0x404108 lstrcmpiA

• 0x40410c CopyFileA

• 0x404110 SetFileAttributesA

• 0x404114 GetTempFileNameA

Library USER32.dll:

• 0x404164 wsprintfW

• 0x404168 DestroyWindow

• 0x40416c keybd_event

• 0x404170 GetMessageA

• 0x404174 SetTimer

• 0x404178 RegisterClassExA

• 0x40417c PostQuitMessage

• 0x404180 KillTimer

• 0x404184 TranslateMessage

• 0x404188 DefWindowProcA

• 0x40418c ShowWindow

• 0x404190 FlashWindow

• 0x404194 DispatchMessageA

• 0x404198 UpdateWindow

• 0x40419c CreateWindowExA

Library SHELL32.dll:

• 0x404124 SHGetFolderPathA

• 0x404128 ShellExecuteExA

• 0x40412c SHGetFolderPathW

• 0x404130 ShellExecuteExW

Library ole32.dll:

• 0x4041c8 CoInitializeEx

• 0x4041cc CoUninitialize

Library PSAPI.DLL:

• 0x40411c GetModuleBaseNameW

Library SHLWAPI.dll:

• 0x404138 StrRChrA

• 0x40413c PathAppendA

• 0x404140 PathAppendW

• 0x404144 StrStrIA

• 0x404148 PathFileExistsA

• 0x40414c StrStrNIW

• 0x404150 PathAddExtensionA

• 0x404154 PathIsDirectoryA

• 0x404158 PathCombineA

• 0x40415c PathAddBackslashA

Library ntdll.dll:

• 0x4041a4 RtlImageNtHeader

• 0x4041a8 ZwClose

• 0x4041ac memset

• 0x4041b0 _alloca_probe

• 0x4041b4 strstr

• 0x4041b8 _snprintf

• 0x4041bc ZwSetInformationThread

• 0x4041c0 RtlUnwind

Library ADVAPI32.dll:

• 0x404000 CryptGetHashParam

• 0x404004 CryptAcquireContextA

• 0x404008 CryptCreateHash

• 0x40400c CryptDestroyHash

• 0x404010 CryptHashData

• 0x404014 OpenProcessToken

• 0x404018 GetSidSubAuthority

• 0x40401c GetSidSubAuthorityCount

• 0x404020 GetTokenInformation

• 0x404024 CryptReleaseContext

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
download.windowsupdate.com	A 106.7.64.1 A 116.11.67.6 CNAME k256.gslb.ksyuncdn.com A 124.229.60.6 A 222.216.123.6 CNAME 2-01-3cf7-0009.cdx.cedexis.net A 117.21.217.1 A 115.231.33.1 A 119.96.211.1 CNAME www.download.windowsupdate.com.download.ks-cdn.com A 124.229.53.1 CNAME wu-fg-shim.trafficmanager.net A 124.225.105.97 CNAME www.download.windowsupdate.com.cdn.dnsv1.com CNAME windowsupdate.sched.s11.tdnsv5.com CNAME 3573033.pack.cdntip.com	106.7.64.1
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
blatnoidomen.com
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.110
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	53380	114.114.114.114	53
192.168.56.101	53657	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	60221	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57236	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	61680	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.