SmartHawk

14.6

0-day

16 个模型检测该样本为恶意！

重新分析

下载样本

33ee1ea7a9098e966716e37a0ac8118b4cc2bf2cd2669e17b4db409ef03b1953

a9a25c3d49529bf91827fbcb88b37fa9.exe

分析耗时

139s

最近分析

文件大小

2.9MB

静态报毒动态报毒 ARTEMIS BROWSEFOX BUNDLEINSTALLER ELDORADO FILEREPMETAGEN GENERIC ML PUA HIGH CONFIDENCE R346996 SCORE WEBCOMPANION WEBCOMPANION7806 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba		20190527	0.3.0.5
CrowdStrike		20190702	1.0
Baidu		20190318	1.0.0.2
Kingsoft		20201209	2017.9.26.565
McAfee	Artemis!A9A25C3D4952	20201209	6.0.6.653
Tencent		20201209	1.0.0.1

Queries for the computername (49 个事件)

Time & API	Arguments	Status	Return
1621006052.752626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006053.877626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006054.267626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006054.455626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006055.002626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006055.361626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006056.017626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006056.080626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006056.502626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006056.673626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006056.939626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006057.095626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006057.267626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006057.533626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006057.658626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006057.752626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006057.908626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006058.080626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006060.361626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006061.955626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006063.689626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006065.157876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006070.251876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006082.391876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006082.610876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006082.657876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006082.672876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006082.985876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006084.751876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006086.641876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006088.579876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006090.376876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006090.532876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006090.860876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006091.141876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006091.438876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006092.032876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006092.172876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006092.579876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006093.063876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006093.282876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006093.485876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006093.688876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006094.001876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006094.282876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006094.391876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006094.594876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006094.719876 GetComputerNameW	computer_name: OSKAR-PC	success	1
1621006095.329876 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (9 个事件)

Time & API	Arguments	Status	Return	Repeated
1620985517.266125 IsDebuggerPresent		failed	0	0
1621006057.938876 IsDebuggerPresent		failed	0	0
1621006057.938876 IsDebuggerPresent		failed	0	0
1621006086.454876 IsDebuggerPresent		failed	0	0
1621006086.735876 IsDebuggerPresent		failed	0	0
1621006087.297876 IsDebuggerPresent		failed	0	0
1621006088.251876 IsDebuggerPresent		failed	0	0
1621006088.454876 IsDebuggerPresent		failed	0	0
1621006088.626876 IsDebuggerPresent		failed	0	0

Uses Windows APIs to generate a cryptographic key (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621006066.485876 CryptExportKey	crypto_handle: 0x00356e10 crypto_export_handle: 0x00000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1	0

This executable is signed

Tries to locate where the browsers are installed (4 个事件)

file	C:\Program Files\Google\Chrome\Application\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\InstallDate
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621006051.939626 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)

section

.sxdata

The executable uses a known packer (1 个事件)

packer

Armadillo v1.71

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (12 个事件)

suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart
suspicious_features	GET method with no useragent header	suspicious_request	GET https://h2oapi.adaware.com/v1/bundleinfo/06aa3dead622d62b43e76c619262e30e7d33ead4
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://sos.adaware.com/v1/bundle/list/?bundleId=SFT002
suspicious_features	GET method with no useragent header	suspicious_request	GET https://sos.adaware.com/v1/offer/detail/?_id=992f1ec156551c350d08a1c127eeaa2522fa8fa1
suspicious_features	GET method with no useragent header	suspicious_request	GET https://sos.adaware.com/v1/offer/detail/?_id=575a0a3c11ae1c0f3a499539d6299cb1929c6584
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallStart
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=PageShown
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleProposedOffers
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived
suspicious_features	POST method with no referer header, POST method with no useragent header	suspicious_request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleOffersApproved
suspicious_features	POST method with no referer header	suspicious_request	POST https://update.googleapis.com/service/update2?cup2key=10:2889043169&cup2hreq=3d204f78a1a1924fab32658e1b8f63ae03460806f78f75f722b387a20614dd3d

Performs some HTTP requests (15 个事件)

request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart
request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart
request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620976578&mv=m&mvi=3&pl=17&shardbypass=yes
request	GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620976578&mv=m&mvi=3&pl=17&shardbypass=yes
request	GET https://h2oapi.adaware.com/v1/bundleinfo/06aa3dead622d62b43e76c619262e30e7d33ead4
request	POST https://sos.adaware.com/v1/bundle/list/?bundleId=SFT002
request	GET https://sos.adaware.com/v1/offer/detail/?_id=992f1ec156551c350d08a1c127eeaa2522fa8fa1
request	GET https://sos.adaware.com/v1/offer/detail/?_id=575a0a3c11ae1c0f3a499539d6299cb1929c6584
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallStart
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=PageShown
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleProposedOffers
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleOffersApproved
request	POST https://update.googleapis.com/service/update2?cup2key=10:2889043169&cup2hreq=3d204f78a1a1924fab32658e1b8f63ae03460806f78f75f722b387a20614dd3d

Sends data using the HTTP POST Method (9 个事件)

request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart
request	POST http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart
request	POST https://sos.adaware.com/v1/bundle/list/?bundleId=SFT002
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleInstallStart
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=PageShown
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleProposedOffers
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=OfferDetailsReceived
request	POST https://flow.lavasoft.com/v1/event-stat/?ProductID=IS&Type=BundleOffersApproved
request	POST https://update.googleapis.com/service/update2?cup2key=10:2889043169&cup2hreq=3d204f78a1a1924fab32658e1b8f63ae03460806f78f75f722b387a20614dd3d

Allocates read-write-execute memory (usually to unpack itself) (50 out of 325 个事件)

Time & API	Arguments	Status
1621006056.547876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00630000	success
1621006056.547876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00780000	success
1621006057.422876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00630000	success
1621006057.422876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x006d0000	success
1621006057.688876 NtProtectVirtualMemory	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1621006057.938876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00b40000	success
1621006057.938876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00bd0000	success
1621006057.938876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0054a000	success
1621006057.938876 NtProtectVirtualMemory	process_identifier: 1908 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1621006057.938876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00542000	success
1621006058.485876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00562000	success
1621006058.751876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00585000	success
1621006058.797876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0058b000	success
1621006058.797876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00587000	success
1621006059.454876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00563000	success
1621006059.610876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0056c000	success
1621006059.891876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00564000	success
1621006059.985876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00cb0000	success
1621006060.079876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00565000	success
1621006060.079876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00566000	success
1621006060.126876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00567000	success
1621006060.219876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00568000	success
1621006060.219876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00569000	success
1621006060.266876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d90000	success
1621006060.282876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d91000	success
1621006060.282876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d92000	success
1621006060.282876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0056d000	success
1621006060.297876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d93000	success
1621006060.297876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d94000	success
1621006060.297876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d95000	success
1621006060.297876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d96000	success
1621006060.297876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d97000	success
1621006060.313876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d98000	success
1621006060.313876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0056e000	success
1621006060.313876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d99000	success
1621006060.313876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d9a000	success
1621006060.313876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d9b000	success
1621006060.313876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d9c000	success
1621006060.313876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d9d000	success
1621006060.329876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d9e000	success
1621006060.329876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0056f000	success
1621006060.329876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00d9f000	success
1621006060.329876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00da0000	success
1621006060.329876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00da1000	success
1621006060.344876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00da2000	success
1621006060.376876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00da3000	success
1621006061.032876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00da4000	success
1621006061.204876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00da5000	success
1621006061.219876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00e80000	success
1621006061.219876 NtAllocateVirtualMemory	process_identifier: 1908 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00da6000	success

A process attempted to delay the analysis task. (1 个事件)

description

GenericSetup.exe tried to sleep 125 seconds, actually delayed analysis time by 125 seconds

Creates executable files on the filesystem (22 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\GenericSetup.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\es\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\it\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\de\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\pt\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\ru\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\H2OSciter.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\MyDownloader.Core.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\MyDownloader.Extension.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\GenericSetup.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\en\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Microsoft.Win32.TaskScheduler.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Newtonsoft.Json.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\fr\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\DevLib.Services.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\OfferServiceBLL.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\DevLib.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Shared.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\OfferServiceSDK.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\sciter32.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\installer.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\HtmlAgilityPack.dll

Drops a binary and executes it (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\GenericSetup.exe

Drops an executable to the user AppData folder (22 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\OfferServiceSDK.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\ru\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\de\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\MyDownloader.Core.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\DevLib.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\DevLib.Services.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\GenericSetup.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\fr\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\MyDownloader.Extension.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\it\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Microsoft.Win32.TaskScheduler.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\GenericSetup.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\pt\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\installer.exe
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Newtonsoft.Json.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\en\DevLib.resources.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\sciter32.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Shared.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\HtmlAgilityPack.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\OfferServiceBLL.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\H2OSciter.dll
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\es\DevLib.resources.dll

Executes one or more WMI queries (7 个事件)

wmi	SELECT * FROM Win32_VideoController
wmi	Select * from Win32_ComputerSystem
wmi	SELECT * FROM Win32_BIOS
wmi	SELECT * FROM Win32_DiskDrive
wmi	SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=True
wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_BaseBoard

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621006076.438876 GetAdaptersAddresses	flags: 15 family: 0	failed	111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621006063.782876 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Expresses interest in specific running processes (1 个事件)

process

installer.exe

Queries for potentially installed applications (50 out of 98 个事件)

Time & API	Arguments	Status
1621006082.532876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x000007a8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall options: 0	success
1621006082.547876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: AddressBook options: 0	success
1621006082.547876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: Connection Manager options: 0	success
1621006082.547876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: DirectDrawEx options: 0	success
1621006082.563876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: Fontcore options: 0	success
1621006082.563876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Google Chrome options: 0	success
1621006082.579876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: IE40 options: 0	success
1621006082.579876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data regkey_r: IE4Data options: 0	success
1621006082.579876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX regkey_r: IE5BAKEX options: 0	success
1621006082.579876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData regkey_r: IEData options: 0	success
1621006082.579876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack regkey_r: MobileOptionPack options: 0	success
1621006082.579876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent regkey_r: SchedulingAgent options: 0	success
1621006082.594876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000007a8 key_handle: 0x000007d0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC regkey_r: WIC options: 0	success
1621006090.626876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x80000002 key_handle: 0x000009f0 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall options: 0	success
1621006090.657876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f0 key_handle: 0x000009f8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: AddressBook options: 0	success
1621006090.657876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f0 key_handle: 0x000009f8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: Connection Manager options: 0	success
1621006090.657876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f0 key_handle: 0x000009f8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: DirectDrawEx options: 0	success
1621006090.657876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f0 key_handle: 0x000009f8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: Fontcore options: 0	success
1621006090.657876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f0 key_handle: 0x000009f8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Google Chrome options: 0	success
1621006090.672876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f0 key_handle: 0x000009f8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: IE40 options: 0	success
1621006090.672876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f0 key_handle: 0x000009f8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data regkey_r: IE4Data options: 0	success
1621006090.672876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f0 key_handle: 0x000009f8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX regkey_r: IE5BAKEX options: 0	success
1621006090.672876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f0 key_handle: 0x000009f8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData regkey_r: IEData options: 0	success
1621006090.688876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f0 key_handle: 0x000009f8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack regkey_r: MobileOptionPack options: 0	success
1621006090.688876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f0 key_handle: 0x000009f8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent regkey_r: SchedulingAgent options: 0	success
1621006090.688876 RegOpenKeyExW	access: 0x00020019 base_handle: 0x000009f0 key_handle: 0x000009f8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC regkey_r: WIC options: 0	success
1621006097.172876 RegOpenKeyExW	access: 0x00020219 base_handle: 0x80000002 key_handle: 0x000007d8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall options: 0	success
1621006097.172876 RegOpenKeyExW	access: 0x00020219 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: AddressBook options: 0	success
1621006097.188876 RegOpenKeyExW	access: 0x00020219 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: Connection Manager options: 0	success
1621006097.188876 RegOpenKeyExW	access: 0x00020219 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: DirectDrawEx options: 0	success
1621006097.188876 RegOpenKeyExW	access: 0x00020219 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: Fontcore options: 0	success
1621006097.188876 RegOpenKeyExW	access: 0x00020219 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome regkey_r: Google Chrome options: 0	success
1621006097.188876 RegOpenKeyExW	access: 0x00020219 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: IE40 options: 0	success
1621006097.188876 RegOpenKeyExW	access: 0x00020219 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data regkey_r: IE4Data options: 0	success
1621006097.188876 RegOpenKeyExW	access: 0x00020219 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX regkey_r: IE5BAKEX options: 0	success
1621006097.188876 RegOpenKeyExW	access: 0x00020219 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData regkey_r: IEData options: 0	success
1621006097.188876 RegOpenKeyExW	access: 0x00020219 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack regkey_r: MobileOptionPack options: 0	success
1621006097.188876 RegOpenKeyExW	access: 0x00020219 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent regkey_r: SchedulingAgent options: 0	success
1621006097.188876 RegOpenKeyExW	access: 0x00020219 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC regkey_r: WIC options: 0	success
1621006097.188876 RegOpenKeyExW	access: 0x00020119 base_handle: 0x80000002 key_handle: 0x000007d8 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall options: 0	success
1621006097.204876 RegOpenKeyExW	access: 0x00020119 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook regkey_r: AddressBook options: 0	success
1621006097.204876 RegOpenKeyExW	access: 0x00020119 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager regkey_r: Connection Manager options: 0	success
1621006097.204876 RegOpenKeyExW	access: 0x00020119 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx regkey_r: DirectDrawEx options: 0	success
1621006097.204876 RegOpenKeyExW	access: 0x00020119 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime regkey_r: DXM_Runtime options: 0	success
1621006097.204876 RegOpenKeyExW	access: 0x00020119 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore regkey_r: Fontcore options: 0	success
1621006097.204876 RegOpenKeyExW	access: 0x00020119 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40 regkey_r: IE40 options: 0	success
1621006097.219876 RegOpenKeyExW	access: 0x00020119 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data regkey_r: IE4Data options: 0	success
1621006097.219876 RegOpenKeyExW	access: 0x00020119 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX regkey_r: IE5BAKEX options: 0	success
1621006097.219876 RegOpenKeyExW	access: 0x00020119 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData regkey_r: IEData options: 0	success
1621006097.219876 RegOpenKeyExW	access: 0x00020119 base_handle: 0x000007d8 key_handle: 0x000009cc regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 4 Client Profile regkey_r: Microsoft .NET Framework 4 Client Profile options: 0	success

Executes one or more WMI queries which can be used to identify virtual machines (4 个事件)

wmi	SELECT * FROM Win32_Processor
wmi	SELECT * FROM Win32_BIOS
wmi	Select * from Win32_ComputerSystem
wmi	SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled=True

Communicates with host for which no DNS query was performed (3 个事件)

host	172.217.24.14
host	203.208.40.34
host	203.208.41.33

Attempts to identify installed AV products by registry key (2 个事件)

registry	HKEY_LOCAL_MACHINE\SOFTWARE\AVAST Software\Browser\Update
registry	HKEY_CURRENT_USER\SOFTWARE\AVAST Software\Browser\Update

Looks for the Windows Idle Time to determine the uptime (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1621006083.782876 NtQuerySystemInformation	information_class: 8 (SystemProcessorPerformanceInformation)	success	0	0

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 个事件)

Elastic	malicious (high confidence)
DrWeb	Adware.Downware.19662
FireEye	Generic.mg.a9a25c3d49529bf9
Sangfor	Malware
Cyren	W32/WebCompanion.D.gen!Eldorado
ESET-NOD32	a variant of Win32/WebCompanion.B potentially unwanted
Paloalto	generic.ml
Sophos	Generic ML PUA (PUA)
McAfee-GW-Edition	Artemis!Trojan
Emsisoft	Application.Downloader (A)
Cynet	Malicious (score: 100)
AhnLab-V3	PUP/Win32.BrowseFox.R346996
McAfee	Artemis!A9A25C3D4952
Malwarebytes	PUP.Optional.BundleInstaller
Fortinet	Riskware/WebCompanion7806
AVG	FileRepMetagen [PUP]

Performs 88 file moves indicative of a ransomware file encryption process (50 out of 88 个事件)

Time & API	Arguments	Status	Return
1621006045.767626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\de\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\de\DevLib.resources.dll	success	1
1621006045.955626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\de newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\de	success	1
1621006046.017626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\en\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\en\DevLib.resources.dll	success	1
1621006046.173626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\en newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\en	success	1
1621006046.298626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\es\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\es\DevLib.resources.dll	success	1
1621006046.423626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\es newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\es	success	1
1621006046.439626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\fr\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\fr\DevLib.resources.dll	success	1
1621006046.580626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\fr newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\fr	success	1
1621006046.658626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\it\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\it\DevLib.resources.dll	success	1
1621006046.830626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\it newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\it	success	1
1621006046.892626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\pt\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\pt\DevLib.resources.dll	success	1
1621006047.033626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\pt newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\pt	success	1
1621006047.142626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\images\loader.gif	success	1
1621006047.377626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\images\warning48x48.png	success	1
1621006047.455626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\images newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\images	success	1
1621006047.486626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\Config.tis	success	1
1621006047.580626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\EventHandler.tis	success	1
1621006047.642626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\Log.tis	success	1
1621006047.720626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\TranslateOfferTemplate.tis	success	1
1621006047.783626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\ViewStateLoader.tis	success	1
1621006047.923626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis	success	1
1621006047.970626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\images\loader.gif	success	1
1621006048.048626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\images\warning48x48.png	success	1
1621006048.095626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\InstallingPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\InstallingPage.html	success	1
1621006048.205626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\LaunchCarrierPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\LaunchCarrierPage.html	success	1
1621006048.298626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\OfferPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\OfferPage.html	success	1
1621006048.502626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\ScanningPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\ScanningPage.html	success	1
1621006048.611626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\style.css newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\style.css	success	1
1621006048.705626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\Config.tis	success	1
1621006048.752626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\EventHandler.tis	success	1
1621006048.798626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\Log.tis	success	1
1621006048.845626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\TranslateOfferTemplate.tis	success	1
1621006048.892626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\ViewStateLoader.tis	success	1
1621006048.923626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\WelcomePage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\WelcomePage.html	success	1
1621006048.970626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources	success	1
1621006048.970626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\images\loader.gif	success	1
1621006049.002626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\images\warning48x48.png	success	1
1621006049.033626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\images newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\images	success	1
1621006049.080626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\Config.tis	success	1
1621006049.127626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\EventHandler.tis	success	1
1621006049.173626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\Log.tis	success	1
1621006049.220626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\TranslateOfferTemplate.tis	success	1
1621006049.267626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\ViewStateLoader.tis	success	1
1621006049.298626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis	success	1
1621006049.330626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\ru\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\ru\DevLib.resources.dll	success	1
1621006049.439626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\ru newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\ru	success	1
1621006049.470626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\2021.05.14_18.27.25.923625_installer_pid=2268.txt newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\2021.05.14_18.27.25.923625_installer_pid=2268.txt	success	1
1621006049.548626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\app.ico newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\app.ico	success	1
1621006049.595626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\BundleConfig.json newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\BundleConfig.json	success	1
1621006049.658626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Carrier.HTML newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Carrier.HTML	success	1

Appends a new file extension or content to 88 files indicative of a ransomware file encryption process (50 out of 88 个事件)

Time & API	Arguments	Status	Return
1621006045.767626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\de\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\de\DevLib.resources.dll	success	1
1621006045.955626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\de newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\de	success	1
1621006046.017626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\en\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\en\DevLib.resources.dll	success	1
1621006046.173626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\en newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\en	success	1
1621006046.298626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\es\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\es\DevLib.resources.dll	success	1
1621006046.423626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\es newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\es	success	1
1621006046.439626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\fr\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\fr\DevLib.resources.dll	success	1
1621006046.580626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\fr newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\fr	success	1
1621006046.658626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\it\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\it\DevLib.resources.dll	success	1
1621006046.830626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\it newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\it	success	1
1621006046.892626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\pt\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\pt\DevLib.resources.dll	success	1
1621006047.033626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\pt newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\pt	success	1
1621006047.142626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\images\loader.gif	success	1
1621006047.377626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\images\warning48x48.png	success	1
1621006047.455626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\images newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\images	success	1
1621006047.486626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\Config.tis	success	1
1621006047.580626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\EventHandler.tis	success	1
1621006047.642626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\Log.tis	success	1
1621006047.720626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\TranslateOfferTemplate.tis	success	1
1621006047.783626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\ViewStateLoader.tis	success	1
1621006047.923626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis	success	1
1621006047.970626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\images\loader.gif	success	1
1621006048.048626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\images\warning48x48.png	success	1
1621006048.095626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\InstallingPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\InstallingPage.html	success	1
1621006048.205626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\LaunchCarrierPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\LaunchCarrierPage.html	success	1
1621006048.298626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\OfferPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\OfferPage.html	success	1
1621006048.502626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\ScanningPage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\ScanningPage.html	success	1
1621006048.611626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\style.css newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\style.css	success	1
1621006048.705626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\Config.tis	success	1
1621006048.752626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\EventHandler.tis	success	1
1621006048.798626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\Log.tis	success	1
1621006048.845626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\TranslateOfferTemplate.tis	success	1
1621006048.892626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\ViewStateLoader.tis	success	1
1621006048.923626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\WelcomePage.html newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\WelcomePage.html	success	1
1621006048.970626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources	success	1
1621006048.970626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\images\loader.gif newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\images\loader.gif	success	1
1621006049.002626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\images\warning48x48.png newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\images\warning48x48.png	success	1
1621006049.033626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\images newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\images	success	1
1621006049.080626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\Config.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\Config.tis	success	1
1621006049.127626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\EventHandler.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\EventHandler.tis	success	1
1621006049.173626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\Log.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\Log.tis	success	1
1621006049.220626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\TranslateOfferTemplate.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\TranslateOfferTemplate.tis	success	1
1621006049.267626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis\ViewStateLoader.tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis\ViewStateLoader.tis	success	1
1621006049.298626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Resources\tis newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Resources\tis	success	1
1621006049.330626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\ru\DevLib.resources.dll newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\ru\DevLib.resources.dll	success	1
1621006049.439626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\ru newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\ru	success	1
1621006049.470626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\2021.05.14_18.27.25.923625_installer_pid=2268.txt newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\2021.05.14_18.27.25.923625_installer_pid=2268.txt	success	1
1621006049.548626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\app.ico newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\app.ico	success	1
1621006049.595626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\BundleConfig.json newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\BundleConfig.json	success	1
1621006049.658626 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS4C541D16\Carrier.HTML newfilepath: newfilepath_r: flags: 4 oldfilepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\7zS4C541D16\Carrier.HTML	success	1

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2268 resumed a thread in remote process 1908
1621006055.923626 NtResumeThread	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 1908	success	0	0

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2011-04-19 02:54:06

Imports

Library OLEAUT32.dll:

• 0x41b198 VariantClear

• 0x41b19c SysAllocString

Library USER32.dll:

• 0x41b1ac SendMessageA

• 0x41b1b0 SetTimer

• 0x41b1b4 DialogBoxParamW

• 0x41b1b8 DialogBoxParamA

• 0x41b1bc SetWindowLongA

• 0x41b1c0 GetWindowLongA

• 0x41b1c4 SetWindowTextW

• 0x41b1c8 LoadIconA

• 0x41b1cc LoadStringW

• 0x41b1d0 LoadStringA

• 0x41b1d4 CharUpperW

• 0x41b1d8 CharUpperA

• 0x41b1dc DestroyWindow

• 0x41b1e0 EndDialog

• 0x41b1e4 PostMessageA

• 0x41b1e8 ShowWindow

• 0x41b1ec MessageBoxW

• 0x41b1f0 GetDlgItem

• 0x41b1f4 KillTimer

• 0x41b1f8 SetWindowTextA

Library SHELL32.dll:

• 0x41b1a4 ShellExecuteExA

Library KERNEL32.dll:

• 0x41b000 GetCurrentDirectoryA

• 0x41b004 GetStringTypeW

• 0x41b008 GetStringTypeA

• 0x41b00c LCMapStringW

• 0x41b010 LCMapStringA

• 0x41b014 InterlockedIncrement

• 0x41b018 InterlockedDecrement

• 0x41b01c GetProcAddress

• 0x41b020 GetOEMCP

• 0x41b024 GetACP

• 0x41b028 GetCPInfo

• 0x41b02c IsBadCodePtr

• 0x41b030 IsBadReadPtr

• 0x41b034 GetFileType

• 0x41b038 SetHandleCount

• 0x41b03c GetEnvironmentStringsW

• 0x41b040 GetEnvironmentStrings

• 0x41b044 FreeEnvironmentStringsW

• 0x41b048 FreeEnvironmentStringsA

• 0x41b04c UnhandledExceptionFilter

• 0x41b050 HeapSize

• 0x41b054 GetCurrentProcess

• 0x41b058 TerminateProcess

• 0x41b05c IsBadWritePtr

• 0x41b060 HeapCreate

• 0x41b064 HeapDestroy

• 0x41b068 GetEnvironmentVariableA

• 0x41b06c SetUnhandledExceptionFilter

• 0x41b070 TlsAlloc

• 0x41b074 ExitProcess

• 0x41b078 GetVersion

• 0x41b07c GetCommandLineA

• 0x41b080 GetStartupInfoA

• 0x41b084 GetModuleHandleA

• 0x41b088 WaitForSingleObject

• 0x41b08c CloseHandle

• 0x41b090 CreateProcessA

• 0x41b094 GetCommandLineW

• 0x41b098 GetVersionExA

• 0x41b09c LeaveCriticalSection

• 0x41b0a0 EnterCriticalSection

• 0x41b0a4 DeleteCriticalSection

• 0x41b0a8 MultiByteToWideChar

• 0x41b0ac WideCharToMultiByte

• 0x41b0b0 GetLastError

• 0x41b0b4 LoadLibraryA

• 0x41b0b8 GetModuleFileNameW

• 0x41b0bc GetModuleFileNameA

• 0x41b0c0 LocalFree

• 0x41b0c4 FormatMessageW

• 0x41b0c8 FormatMessageA

• 0x41b0cc SetFileTime

• 0x41b0d0 CreateFileW

• 0x41b0d4 SetLastError

• 0x41b0d8 SetFileAttributesW

• 0x41b0dc SetFileAttributesA

• 0x41b0e0 RemoveDirectoryW

• 0x41b0e4 RemoveDirectoryA

• 0x41b0e8 CreateDirectoryW

• 0x41b0ec CreateDirectoryA

• 0x41b0f0 DeleteFileW

• 0x41b0f4 DeleteFileA

• 0x41b0f8 GetFullPathNameW

• 0x41b0fc GetFullPathNameA

• 0x41b100 SetCurrentDirectoryW

• 0x41b104 SetCurrentDirectoryA

• 0x41b108 GetCurrentDirectoryW

• 0x41b10c GetTempPathW

• 0x41b110 GetTempPathA

• 0x41b114 GetCurrentProcessId

• 0x41b118 GetTickCount

• 0x41b11c GetCurrentThreadId

• 0x41b120 FindClose

• 0x41b124 FindFirstFileW

• 0x41b128 FindFirstFileA

• 0x41b12c FindNextFileW

• 0x41b130 FindNextFileA

• 0x41b134 CreateFileA

• 0x41b138 GetFileSize

• 0x41b13c SetFilePointer

• 0x41b140 ReadFile

• 0x41b144 WriteFile

• 0x41b148 SetEndOfFile

• 0x41b14c GetStdHandle

• 0x41b150 WaitForMultipleObjects

• 0x41b154 Sleep

• 0x41b158 VirtualAlloc

• 0x41b15c VirtualFree

• 0x41b160 CreateEventA

• 0x41b164 SetEvent

• 0x41b168 ResetEvent

• 0x41b16c InitializeCriticalSection

• 0x41b170 RtlUnwind

• 0x41b174 RaiseException

• 0x41b178 HeapAlloc

• 0x41b17c HeapFree

• 0x41b180 HeapReAlloc

• 0x41b184 CreateThread

• 0x41b188 TlsSetValue

• 0x41b18c TlsGetValue

• 0x41b190 ExitThread

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
r3---sn-j5o7dn7e.gvt1.com	CNAME r3.sn-j5o7dn7e.gvt1.com A 113.108.239.196	113.108.239.196
redirector.gvt1.com	A 180.163.150.161	203.208.41.65
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
sos.adaware.com	A 104.16.236.79 A 104.16.235.79	104.16.235.79
h2oapi.adaware.com	A 104.16.236.79 A 104.16.235.79	104.16.235.79
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com A 142.250.66.110	172.217.24.14
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
update.googleapis.com	A 180.163.151.162	203.208.40.98
flow.lavasoft.com	A 104.18.88.101 A 104.18.87.101	104.18.88.101
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49224	104.16.236.79 h2oapi.adaware.com	443
192.168.56.101	49232	104.16.236.79 h2oapi.adaware.com	443
192.168.56.101	49234	104.16.236.79 h2oapi.adaware.com	443
192.168.56.101	49233	104.18.87.101 flow.lavasoft.com	443
192.168.56.101	49222	104.18.88.101 flow.lavasoft.com	80
192.168.56.101	49223	104.18.88.101 flow.lavasoft.com	80
192.168.56.101	49240	113.108.239.196 r3---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49239	180.163.150.161 redirector.gvt1.com	80
192.168.56.101	49238	180.163.151.162 update.googleapis.com	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50568	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	53500	224.0.0.252	5355
192.168.56.101	54178	224.0.0.252	5355
192.168.56.101	54260	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubBundleStart	POST /v1/event-stat?ProductID=IS&Type=StubBundleStart HTTP/1.1 Host: flow.lavasoft.com Accept: application/json Content-Type: application/json charsets: utf-8 Content-Length: 152 {"Data":{"BundleId":"SFT002","MachineId":"c39a9972-31e4-70f6-e9bd-35e4deef4f6f","InstallId":"8645fc96-a4dc-4209-b57c-2bc646ee1f1b","InProcess":"true"}}
http://flow.lavasoft.com/v1/event-stat?ProductID=IS&Type=StubStart	POST /v1/event-stat?ProductID=IS&Type=StubStart HTTP/1.1 Host: flow.lavasoft.com Accept: application/json Content-Type: application/json charsets: utf-8 Content-Length: 266 {"Data":{"BundleId":"SFT002","MachineId":"c39a9972-31e4-70f6-e9bd-35e4deef4f6f","InstallId":"8645fc96-a4dc-4209-b57c-2bc646ee1f1b","OsVersion":"Microsoft Windows 7 Ultimate Edition Service Pack 1 (build 7601), 64-bit","DotNetFramework":"3.5, 4.0 Client, 4.0 Full"}}
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620976578&mv=m&mvi=3&pl=17&shardbypass=yes	GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620976578&mv=m&mvi=3&pl=17&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=0-6150 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620976578&mv=m&mvi=3&pl=17&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620976578&mv=m&mvi=3&pl=17&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.