SmartHawk

17.8

0-day

60 个模型检测该样本为恶意！

重新分析

下载样本

be4c2083b065f457197a64c7192cc7f679a53e53737de2f64c41403170434faf

9ca877ff3a7b556688625b3491545527.exe

分析耗时

65s

最近分析

文件大小

353.6KB

静态报毒动态报毒 100% 66C98U5XYII A + TROJ AI SCORE=81 AIDETECTVM ATRAPS BDJL BLOCKER BSCOPE CHINA CONFIDENCE ELDORADO GENASA GENCIRC GENERICRXJA GENETIC GGBJBZ HIGH CONFIDENCE INVADER MALICIOUS PE MALWARE1 NCA@8M98I8 QVM20 RLW8FKXCJGM SCORE SHIFU SHIZ SIGGEN9 SMTH STATIC AI SUSGEN UNSAFE WQZ@XKN4ZK 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	TrojanSpy:Win32/Invader.a2fa1117	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Shifu-B [Trj]	20201210	21.1.5827.0
Kingsoft		20201211	2017.9.26.565
McAfee	GenericRXJA-YC!9CA877FF3A7B	20201211	6.0.6.653
Tencent	Malware.Win32.Gencirc.10b0780b	20201211	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781549.280625 GetComputerNameA	computer_name: OSKAR-PC	success	1	0
1619781582.858125 GetComputerNameA	computer_name: OSKAR-PC	success	1	0

Command line console output was observed (9 个事件)

Time & API	Arguments	Status	Return
1619781549.983 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1619781549.983 WriteConsoleW	buffer: echo console_handle: 0x00000007	success	1
1619781549.983 WriteConsoleW	buffer: bvmhcvbwhcxwr console_handle: 0x00000007	success	1
1619781549.983 WriteConsoleW	buffer: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9ca877ff3a7b556688625b3491545527.exe" console_handle: 0x00000007	success	1
1619781550.03 WriteConsoleW	buffer: 另一个程序正在使用此文件，进程无法访问。 console_handle: 0x0000000b	success	1
1619781550.077 WriteConsoleW	buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp> console_handle: 0x00000007	success	1
1619781550.077 WriteConsoleW	buffer: del console_handle: 0x00000007	success	1
1619781550.077 WriteConsoleW	buffer: "C:\Users\Administrator.Oskar-PC\faeB524.tmp.bat" console_handle: 0x00000007	success	1
1619781550.171 WriteConsoleW	buffer: 找不到批处理文件。 console_handle: 0x0000000b	success	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallDate

This executable has a PDB path (1 个事件)

pdb_path

Z:\coding\project\main\result\result.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781067.542184 GlobalMemoryStatusEx		success	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 2851 个事件)

Time & API	Arguments	Status
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004f9000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004f9000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004f9000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004f9000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004f9000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x004f9000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success
1619781067.120184 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00525000	success

Checks for known Chinese AV sofware registry keys (1 个事件)

regkey

.*rising

Creates executable files on the filesystem (2 个事件)

file	C:\Users\Administrator.Oskar-PC\faeB524.tmp.bat
file	C:\ProgramData\b66bbf8dff.exe

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\faeB524.tmp.bat

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781068.667184 ShellExecuteExW	parameters: "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9ca877ff3a7b556688625b3491545527.exe" filepath: C:\Users\Administrator.Oskar-PC\faeB524.tmp.bat filepath_r: C:\Users\Administrator.Oskar-PC\faeB524.tmp.bat show_type: 0	success	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (14 个事件)

Time & API	Arguments	Status	Return
1619781547.889625 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x000001c0 process_identifier: 2224	success	1
1619781547.905625 Process32NextW	process_name: taskhost.exe snapshot_handle: 0x000001c0 process_identifier: 152	success	1
1619781547.905625 Process32NextW	process_name: mobsync.exe snapshot_handle: 0x000001c0 process_identifier: 2856	success	1
1619781547.921625 Process32NextW	process_name: 9ca877ff3a7b556688625b3491545527.exe snapshot_handle: 0x000001c0 process_identifier: 2536	success	1
1619781547.936625 Process32NextW	process_name: svchost.exe snapshot_handle: 0x000001c0 process_identifier: 2200	success	1
1619781549.702625 Process32NextW	process_name: cmd.exe snapshot_handle: 0x00000520 process_identifier: 3120	success	1
1619781549.702625 Process32NextW	process_name: conhost.exe snapshot_handle: 0x00000520 process_identifier: 3216	success	1
1619781549.702625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000520 process_identifier: 3248	success	1
1619781549.702625 Process32NextW	process_name: snapshot_handle: 0x00000520 process_identifier: 1952414801	failed	0
1619781551.311625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000520 process_identifier: 3356	success	1
1619781576.483625 Process32NextW	process_name: inject-x86.exe snapshot_handle: 0x00000460 process_identifier: 3536	success	1
1619781581.905125 Process32NextW	process_name: svchost.exe snapshot_handle: 0x0000017c process_identifier: 3736	success	1
1619781581.905125 Process32NextW	process_name: dllhost.exe snapshot_handle: 0x0000017c process_identifier: 3744	success	1
1619781581.905125 Process32NextW	process_name: snapshot_handle: 0x0000017c process_identifier: 1952368923	failed	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781549.796625 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.93472237364679

section

{'size_of_data': '0x00025200', 'virtual_address': '0x00006000', 'entropy': 7.93472237364679, 'name': '.data', 'virtual_size': '0x000256d4'}

description

A section with a high entropy has been found

entropy

0.9054878048780488

description

Overall entropy of this PE file is high

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 61 个事件)

Time & API	Arguments	Status
1619781552.764625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781553.296625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781553.811625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781554.327625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781554.858625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781555.358625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781555.874625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781556.374625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781556.889625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781557.421625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781557.921625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781558.436625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781558.952625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781559.452625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781559.968625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781560.483625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781560.999625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781561.530625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781562.046625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781562.561625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781563.077625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781563.593625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781564.108625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781564.624625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781565.139625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781565.655625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781566.171625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781566.686625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781567.186625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781567.702625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781568.218625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781568.733625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781569.264625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781569.780625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781570.296625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781570.811625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781571.327625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781571.843625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781572.358625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781572.874625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781573.374625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781573.889625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781574.405625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781574.936625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781575.436625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781575.952625 Process32NextW	process_name: snapshot_handle: 0x00000460 process_identifier: 0	failed
1619781584.124125 Process32NextW	process_name: snapshot_handle: 0x0000017c process_identifier: 0	failed
1619781584.639125 Process32NextW	process_name: snapshot_handle: 0x0000017c process_identifier: 0	failed
1619781585.171125 Process32NextW	process_name: snapshot_handle: 0x0000017c process_identifier: 0	failed
1619781585.702125 Process32NextW	process_name: snapshot_handle: 0x0000017c process_identifier: 0	failed

Created a process named as a common system process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781064.745184 CreateProcessInternalW	thread_identifier: 2868 thread_handle: 0x000000a8 process_identifier: 2200 current_directory: filepath: C:\Windows\System32\svchost.exe track: 1 command_line: C:\ProgramData\b66bbf8dff.exe filepath_r: C:\Windows\system32\svchost.exe stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) process_handle: 0x000000b4 inherit_handles: 0	success	1	0

Uses Windows utilities for basic Windows functionality (1 个事件)

cmdline

C:\Users\Administrator.Oskar-PC\faeB524.tmp.bat "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9ca877ff3a7b556688625b3491545527.exe"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (7 个事件)

Time & API	Arguments	Status
1619781064.745184 NtAllocateVirtualMemory	process_identifier: 2200 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000000b4 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x000b0000	success
1619781066.104184 NtProtectVirtualMemory	process_identifier: 2200 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x000000b4 base_address: 0x002f0000	success
1619781548.014625 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000028c base_address: 0x02370000	success
1619781549.780625 NtProtectVirtualMemory	process_identifier: 3120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000054c base_address: 0x00260000	success
1619781549.811625 NtProtectVirtualMemory	process_identifier: 3248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000550 base_address: 0x00320000	success
1619781551.343625 NtProtectVirtualMemory	process_identifier: 3356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000544 base_address: 0x00450000	success
1619781576.999625 NtProtectVirtualMemory	process_identifier: 3536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000558 base_address: 0x01f30000	success

Attempts to identify installed AV products by registry key (19 个事件)

registry	HKEY_LOCAL_MACHINE\Software\Avg
registry	HKEY_LOCAL_MACHINE\Software\AVAST Software\Avast
registry	HKEY_LOCAL_MACHINE\Software\Avira
registry	HKEY_LOCAL_MACHINE\Software\Bitdefender
registry	HKEY_LOCAL_MACHINE\Software\Coranti
registry	HKEY_LOCAL_MACHINE\Software\Data Fellows\F-Secure
registry	HKEY_LOCAL_MACHINE\Software\Doctor Web
registry	HKEY_LOCAL_MACHINE\Software\Eset\Nod
registry	HKEY_LOCAL_MACHINE\Software\G Data
registry	HKEY_LOCAL_MACHINE\Software\Symantec
registry	HKEY_LOCAL_MACHINE\Software\KasperskyLab\protected
registry	HKEY_LOCAL_MACHINE\Software\Network Associates\TVD
registry	HKEY_LOCAL_MACHINE\Software\Panda Software
registry	HKEY_LOCAL_MACHINE\Software\rising
registry	HKEY_LOCAL_MACHINE\Software\Softed\ViGUARD
registry	HKEY_LOCAL_MACHINE\Software\Sophos
registry	HKEY_LOCAL_MACHINE\Software\TrendMicro
registry	HKEY_LOCAL_MACHINE\Software\VBA32
registry	HKEY_LOCAL_MACHINE\Software\Zone Labs\ZoneAlarm

Installs itself for autorun at Windows startup (1 个事件)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\IntelPowerAgent6

reg_value

rundll32.exe shell32.dll, ShellExec_RunDLL C:\PROGRA~3\B66BBF~1.EXE

Attempts to access Bitcoin/ALTCoin wallets (2 个事件)

file	C:\Users\Administrator.Oskar-PClitecoin\wallet.dat
file	C:\Users\Administrator.Oskar-PCbitcoin\wallet.dat

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\faeB524.tmp.bat

Disables proxy possibly for traffic interception (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619781549.061625 RegSetValueExA	key_handle: 0x00000390 value: 0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	success	0	0
1619781582.608125 RegSetValueExA	key_handle: 0x000003a8 value: 0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	success	0	0

Creates a thread using CreateRemoteThread in a non-child process indicative of process injection (10 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2200 created a remote thread in non-child process 2536
Process injection	Process 2200 created a remote thread in non-child process 3120
Process injection	Process 2200 created a remote thread in non-child process 3248
Process injection	Process 2200 created a remote thread in non-child process 3356
Process injection	Process 2200 created a remote thread in non-child process 3536
1619781548.014625 CreateRemoteThread	thread_identifier: 0 process_identifier: 2536 function_address: 0x0237114d flags: 0 process_handle: 0x0000028c parameter: 0x00000000 stack_size: 0	success	588	0
1619781549.780625 CreateRemoteThread	thread_identifier: 0 process_identifier: 3120 function_address: 0x0026114d flags: 0 process_handle: 0x0000054c parameter: 0x00000000 stack_size: 0	success	1364	0
1619781550.296625 CreateRemoteThread	thread_identifier: 0 process_identifier: 3248 function_address: 0x0032114d flags: 0 process_handle: 0x00000550 parameter: 0x00000000 stack_size: 0	success	1356	0
1619781551.764625 CreateRemoteThread	thread_identifier: 0 process_identifier: 3356 function_address: 0x0045114d flags: 0 process_handle: 0x00000544 parameter: 0x00000000 stack_size: 0	success	1360	0
1619781578.233625 CreateRemoteThread	thread_identifier: 0 process_identifier: 3536 function_address: 0x01f3114d flags: 0 process_handle: 0x00000558 parameter: 0x00000000 stack_size: 0	failed	0	0

Manipulates memory of a non-child process indicative of process injection (15 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2200 manipulating memory of non-child process 2536
Process injection	Process 2200 manipulating memory of non-child process 3120
Process injection	Process 2200 manipulating memory of non-child process 3248
Process injection	Process 2200 manipulating memory of non-child process 3356
Process injection	Process 2200 manipulating memory of non-child process 3536
1619781547.968625 NtAllocateVirtualMemory	process_identifier: 2536 region_size: 483328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x0000028c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02370000	success	0	0
1619781548.014625 NtProtectVirtualMemory	process_identifier: 2536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000028c base_address: 0x02370000	success	0	0
1619781549.718625 NtAllocateVirtualMemory	process_identifier: 3120 region_size: 483328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x0000054c allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00260000	success	0	0
1619781549.780625 NtProtectVirtualMemory	process_identifier: 3120 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x0000054c base_address: 0x00260000	success	0	0
1619781549.780625 NtAllocateVirtualMemory	process_identifier: 3248 region_size: 483328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000550 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00320000	success	0	0
1619781549.811625 NtProtectVirtualMemory	process_identifier: 3248 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000550 base_address: 0x00320000	success	0	0
1619781551.327625 NtAllocateVirtualMemory	process_identifier: 3356 region_size: 483328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000544 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00450000	success	0	0
1619781551.343625 NtProtectVirtualMemory	process_identifier: 3356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000544 base_address: 0x00450000	success	0	0
1619781576.968625 NtAllocateVirtualMemory	process_identifier: 3536 region_size: 483328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) process_handle: 0x00000558 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01f30000	success	0	0
1619781576.999625 NtProtectVirtualMemory	process_identifier: 3536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 200704 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000558 base_address: 0x01f30000	success	0	0

Potential code injection by writing to the memory of another process (12 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2200 injected into non-child 2536
Process injection	Process 2200 injected into non-child 3120
Process injection	Process 2200 injected into non-child 3248
Process injection	Process 2200 injected into non-child 3356
Process injection	Process 2200 injected into non-child 3536
1619781064.761184 WriteProcessMemory	process_identifier: 2200 buffer: jÿhÿ5vÃ process_handle: 0x000000b4 base_address: 0x000b0000	success	1	0
1619781066.104184 WriteProcessMemory	process_identifier: 2200 buffer: CÉÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $º¼_þbÒþbÒþbÒ÷GÿbÒm,JÿbÒAËübÒþbÒýbÒAÿbÒ÷VÿbÒ÷A×bÒþbÓ¸cÒåÿ}¹bÒåÿOÿbÒRichþbÒ^léºLbåUà! äìM@¤'\|ð¤.text¬ÃÄ `codeAà È `.rdataÎABè@@.data$PB*@À.reloc°ðl@B process_handle: 0x000000b4 base_address: 0x002f0000	success	1	0
1619781547.983625 WriteProcessMemory	process_identifier: 2536 buffer: CÉÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $º¼_þbÒþbÒþbÒ÷GÿbÒm,JÿbÒAËübÒþbÒýbÒAÿbÒ÷VÿbÒ÷A×bÒþbÓ¸cÒåÿ}¹bÒåÿOÿbÒRichþbÒ^léºLbåUà! äìM@¤'\|ð¤.text¬ÃÄ `codeAà È `.rdataÎABè@@.data$PB*@À.reloc°ðl@B process_handle: 0x0000028c base_address: 0x02370000	success	1	0
1619781549.718625 WriteProcessMemory	process_identifier: 3120 buffer: CÉÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $º¼_þbÒþbÒþbÒ÷GÿbÒm,JÿbÒAËübÒþbÒýbÒAÿbÒ÷VÿbÒ÷A×bÒþbÓ¸cÒåÿ}¹bÒåÿOÿbÒRichþbÒ^léºLbåUà! äìM@¤'\|ð¤.text¬ÃÄ `codeAà È `.rdataÎABè@@.data$PB*@À.reloc°ðl@B process_handle: 0x0000054c base_address: 0x00260000	success	1	0
1619781549.780625 WriteProcessMemory	process_identifier: 3248 buffer: CÉÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $º¼_þbÒþbÒþbÒ÷GÿbÒm,JÿbÒAËübÒþbÒýbÒAÿbÒ÷VÿbÒ÷A×bÒþbÓ¸cÒåÿ}¹bÒåÿOÿbÒRichþbÒ^léºLbåUà! äìM@¤'\|ð¤.text¬ÃÄ `codeAà È `.rdataÎABè@@.data$PB*@À.reloc°ðl@B process_handle: 0x00000550 base_address: 0x00320000	success	1	0
1619781551.327625 WriteProcessMemory	process_identifier: 3356 buffer: CÉÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $º¼_þbÒþbÒþbÒ÷GÿbÒm,JÿbÒAËübÒþbÒýbÒAÿbÒ÷VÿbÒ÷A×bÒþbÓ¸cÒåÿ}¹bÒåÿOÿbÒRichþbÒ^léºLbåUà! äìM@¤'\|ð¤.text¬ÃÄ `codeAà È `.rdataÎABè@@.data$PB*@À.reloc°ðl@B process_handle: 0x00000544 base_address: 0x00450000	success	1	0
1619781576.968625 WriteProcessMemory	process_identifier: 3536 buffer: CÉÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $º¼_þbÒþbÒþbÒ÷GÿbÒm,JÿbÒAËübÒþbÒýbÒAÿbÒ÷VÿbÒ÷A×bÒþbÓ¸cÒåÿ}¹bÒåÿOÿbÒRichþbÒ^léºLbåUà! äìM@¤'\|ð¤.text¬ÃÄ `codeAà È `.rdataÎABè@@.data$PB*@À.reloc°ðl@B process_handle: 0x00000558 base_address: 0x01f30000	success	1	0

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1619781552.405625 RegSetValueExA	key_handle: 0x00000528 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619781552.405625 RegSetValueExA	key_handle: 0x00000528 value: PLX&=× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619781552.405625 RegSetValueExA	key_handle: 0x00000528 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619781552.405625 RegSetValueExW	key_handle: 0x00000528 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619781552.421625 RegSetValueExA	key_handle: 0x00000558 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619781552.421625 RegSetValueExA	key_handle: 0x00000558 value: PLX&=× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619781552.421625 RegSetValueExA	key_handle: 0x00000558 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619781552.483625 RegSetValueExW	key_handle: 0x00000524 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

Network activity contains more than one unique useragent (2 个事件)

process	svchost.exe				useragent	Internal
process	svchost.exe				useragent	Mozilla/5.0 (Windows; U; Windows NT 5.2 x64; en-US; rv:1.9a1) Gecko/20061007 Minefield/3.0a1

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2536 called NtSetContextThread to modify thread in remote process 2200
1619781064.761184 NtSetContextThread	thread_handle: 0x000000a8 registers.eip: 2010382788 registers.esp: 3078220 registers.edi: 0 registers.eax: 720896 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 2200	success	0	0

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2015-09-01 16:30:23

Imports

Library KERNEL32.dll:

• 0x40402c GetLastError

• 0x404030 CloseHandle

• 0x404034 GetModuleFileNameW

• 0x404038 DeleteFileA

• 0x40403c Sleep

• 0x404040 GetProcessHeap

• 0x404044 WaitForSingleObject

• 0x404048 HeapFree

• 0x40404c HeapAlloc

• 0x404050 GetCommandLineW

• 0x404054 LocalFree

• 0x404058 GetCurrentProcessId

• 0x40405c GetVersionExA

• 0x404060 LocalAlloc

• 0x404064 LoadLibraryA

• 0x404068 FreeLibrary

• 0x40406c GetModuleHandleA

• 0x404070 GetProcAddress

• 0x404074 GetModuleFileNameA

• 0x404078 GetVersionExW

• 0x40407c GetSystemWindowsDirectoryA

• 0x404080 GlobalFindAtomA

• 0x404084 ExpandEnvironmentStringsA

• 0x404088 GetCurrentProcess

• 0x40408c GlobalAddAtomA

• 0x404090 SetErrorMode

• 0x404094 lstrcpynA

• 0x404098 ExitProcess

• 0x40409c GetTickCount

• 0x4040a0 Module32Next

• 0x4040a4 GlobalMemoryStatusEx

• 0x4040a8 VirtualProtectEx

• 0x4040ac VirtualAlloc

• 0x4040b0 Module32First

• 0x4040b4 GetExitCodeProcess

• 0x4040b8 CreateRemoteThread

• 0x4040bc VirtualFree

• 0x4040c0 GetThreadContext

• 0x4040c4 CreateFileA

• 0x4040c8 SetThreadContext

• 0x4040cc OpenProcess

• 0x4040d0 TerminateThread

• 0x4040d4 CreateProcessA

• 0x4040d8 TerminateProcess

• 0x4040dc FlushInstructionCache

• 0x4040e0 GetShortPathNameA

• 0x4040e4 GetHandleInformation

• 0x4040e8 VirtualAllocEx

• 0x4040ec CreateToolhelp32Snapshot

• 0x4040f0 WriteProcessMemory

• 0x4040f4 ResumeThread

• 0x4040f8 CreateThread

• 0x4040fc WriteFile

• 0x404100 ReadFile

• 0x404104 GetFileSizeEx

• 0x404108 lstrcmpiA

• 0x40410c CopyFileA

• 0x404110 SetFileAttributesA

• 0x404114 GetTempFileNameA

Library USER32.dll:

• 0x404164 wsprintfW

• 0x404168 DestroyWindow

• 0x40416c keybd_event

• 0x404170 GetMessageA

• 0x404174 SetTimer

• 0x404178 RegisterClassExA

• 0x40417c PostQuitMessage

• 0x404180 KillTimer

• 0x404184 TranslateMessage

• 0x404188 DefWindowProcA

• 0x40418c ShowWindow

• 0x404190 FlashWindow

• 0x404194 DispatchMessageA

• 0x404198 UpdateWindow

• 0x40419c CreateWindowExA

Library SHELL32.dll:

• 0x404124 SHGetFolderPathA

• 0x404128 ShellExecuteExA

• 0x40412c SHGetFolderPathW

• 0x404130 ShellExecuteExW

Library ole32.dll:

• 0x4041c8 CoInitializeEx

• 0x4041cc CoUninitialize

Library PSAPI.DLL:

• 0x40411c GetModuleBaseNameW

Library SHLWAPI.dll:

• 0x404138 StrRChrA

• 0x40413c PathAppendA

• 0x404140 PathAppendW

• 0x404144 StrStrIA

• 0x404148 PathFileExistsA

• 0x40414c StrStrNIW

• 0x404150 PathAddExtensionA

• 0x404154 PathIsDirectoryA

• 0x404158 PathCombineA

• 0x40415c PathAddBackslashA

Library ntdll.dll:

• 0x4041a4 RtlImageNtHeader

• 0x4041a8 ZwClose

• 0x4041ac memset

• 0x4041b0 _alloca_probe

• 0x4041b4 strstr

• 0x4041b8 _snprintf

• 0x4041bc ZwSetInformationThread

• 0x4041c0 RtlUnwind

Library ADVAPI32.dll:

• 0x404000 CryptGetHashParam

• 0x404004 CryptAcquireContextA

• 0x404008 CryptCreateHash

• 0x40400c CryptDestroyHash

• 0x404010 CryptHashData

• 0x404014 OpenProcessToken

• 0x404018 GetSidSubAuthority

• 0x40401c GetSidSubAuthorityCount

• 0x404020 GetTokenInformation

• 0x404024 CryptReleaseContext

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
download.windowsupdate.com	A 124.225.105.97 CNAME 2-01-3cf7-0009.cdx.cedexis.net CNAME www.download.windowsupdate.com.cdn.dnsv1.com CNAME windowsupdate.sched.s11.tdnsv5.com CNAME 3573033.pack.cdntip.com CNAME wu-fg-shim.trafficmanager.net	124.225.105.97
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
blatnoidomen.com
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com		127.0.0.1

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	61680	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	50568	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57756	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.