10.0
0-day
该样本未表现出任何异常!
重新分析
更多

6d1e396f5a57506fde3b8b8c2d5dbe3e2479e0bb742739187848a9892cb313ee

c53a6bcb34cc25134dc30d7ff1abcf8b.exe

分析耗时

160s

最近分析

文件大小

13.3MB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
Queries for the computername (10 个事件)
Time & API Arguments Status Return Repeated
1621018141.217125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1621018141.499125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1621018141.874125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1621018141.999125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1621017709.409021
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1621017714.018021
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1621017714.112021
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1621017716.518021
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1621017720.503021
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1621017721.096021
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Tries to locate where the browsers are installed (1 个事件)
file C:\Program Files\Google\Chrome\Application\chrome.exe
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1621018088.608125
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .ndata
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:615808184&cup2hreq=5ca493ab1d4c0b4f1192fe28d4cb05608246d31ac956ac1e401b947a84ec2e43
Performs some HTTP requests (6 个事件)
request GET http://www.EasyPDF.net/latestVersion.txt?v=0.2
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620989064&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=f92f6e27fe1cbd5d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620989064&mv=m&mvi=3
request GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=f92f6e27fe1cbd5d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620989064&mv=m&mvi=3
request POST https://update.googleapis.com/service/update2?cup2key=10:615808184&cup2hreq=5ca493ab1d4c0b4f1192fe28d4cb05608246d31ac956ac1e401b947a84ec2e43
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:615808184&cup2hreq=5ca493ab1d4c0b4f1192fe28d4cb05608246d31ac956ac1e401b947a84ec2e43
Allocates read-write-execute memory (usually to unpack itself) (4 个事件)
Time & API Arguments Status Return Repeated
1621018101.905125
NtProtectVirtualMemory
process_identifier: 3044
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x028c4000
success 0 0
1621018135.030125
NtAllocateVirtualMemory
process_identifier: 3044
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x08190000
success 0 0
1621017713.065021
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00000000049f0000
success 0 0
1621018138.280875
NtProtectVirtualMemory
process_identifier: 2052
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73972000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (5 个事件)
Time & API Arguments Status Return Repeated
1621018108.389125
GetDiskFreeSpaceExW
root_path: C:\Program Files (x86)\EasyPDF
free_bytes_available: 18088435155730432
total_number_of_free_bytes: 4296600724
total_number_of_bytes: 3802812902
failed 0 0
1621018108.389125
GetDiskFreeSpaceExW
root_path: C:\Program Files (x86)\
free_bytes_available: 19426254848
total_number_of_free_bytes: 19426254848
total_number_of_bytes: 34252779520
success 1 0
1621018108.514125
GetDiskFreeSpaceExW
root_path: C:\Program Files (x86)\EasyPDF
free_bytes_available: 26761941483924
total_number_of_free_bytes: 4296602288
total_number_of_bytes: 8600415772492755548
failed 0 0
1621018108.514125
GetDiskFreeSpaceExW
root_path: C:\Program Files (x86)\
free_bytes_available: 19426254848
total_number_of_free_bytes: 19426254848
total_number_of_bytes: 34252779520
success 1 0
1621017721.706021
GetDiskFreeSpaceExW
root_path: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Explorer
free_bytes_available: 19259191296
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
Creates executable files on the filesystem (50 out of 75 个事件)
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyPDF\README.txt.lnk
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\pf2afm.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\gssetgs.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\eps2eps.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\eps2eps.cmd
file C:\Program Files (x86)\EasyPDF\pdfprinter\DriverFiles\64\PS5UI.DLL
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\ps2ps.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\EasyPDFInstall.dll
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\gsdj500.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\font2c.cmd
file C:\Users\Public\Desktop\EasyPDF.lnk
file C:\Program Files (x86)\EasyPDF\pdfprinter\DriverFiles\32\PS5UI.DLL
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\ps2ps.cmd
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyPDF\EasyPDF.lnk
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\pfbtopfa.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\pdf2dsc.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\ps2ascii.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\ps2pdf13.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\ps2pdf13.cmd
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\ps2ascii.cmd
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\lpr2.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\ps2epsi.bat
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyPDF\Uninstall.lnk
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\pdf2ps.cmd
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\lp386.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\pf2afm.cmd
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\lp386r2.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\ps2pdfxx.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\bdftops.cmd
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\pdf2ps.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\pftogsf.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\gsdll32.dll
file C:\Program Files (x86)\EasyPDF\pdfprinter\DriverFiles\64\redmonnt.dll
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\ps2ps2.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\DriverFiles\64\PSCRIPT5.DLL
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nszADD1.tmp\FindProcDLL.dll
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\ps2ps2.cmd
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nszADD1.tmp\nsDialogs.dll
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\gstt.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\bdftops.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\gsnd.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\DriverFiles\32\unredmon.exe
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\ps2pdf14.cmd
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\pdfopt.bat
file C:\Program Files (x86)\EasyPDF\pdfprinter\DriverFiles\32\redmonnt.dll
file C:\Program Files (x86)\EasyPDF\PdfPreview.dll
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\ps2pdf14.bat
file C:\Program Files (x86)\EasyPDF\pluginreg.exe
file C:\Program Files (x86)\EasyPDF\pdfprinter\lib\wmakebat.bat
file C:\Program Files (x86)\EasyPDF\PdfFilter.dll
Creates a shortcut to an executable file (16 个事件)
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyPDF\README.txt.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyPDF\Uninstall.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
file C:\Users\Public\Desktop\EasyPDF.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EasyPDF\EasyPDF.lnk
file C:\Users\Administrator.Oskar-PC\Desktop\EasyPDF.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Media Center.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Magnify.lnk
file C:\Users\Public\Desktop\Google Chrome.lnk
file C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
Creates a suspicious process (3 个事件)
cmdline regsvr32 /s 'C:\Program Files (x86)\EasyPDF\PdfFilter.dll'
cmdline regsvr32 /s 'C:\Program Files (x86)\EasyPDF\PdfPreview.dll'
cmdline regsvr32 /s "C:\Program Files (x86)\EasyPDF\npPdfViewer.dll"
Drops an executable to the user AppData folder (3 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nszADD1.tmp\FindProcDLL.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nszADD1.tmp\System.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nszADD1.tmp\nsDialogs.dll
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1621018137.280125
ShellExecuteExW
parameters: silent
filepath: 'C:\Program Files (x86)\EasyPDF\pdfprinter\DriverFiles\setupr.exe'
filepath_r: 'C:\Program Files (x86)\EasyPDF\pdfprinter\DriverFiles\setupr.exe'
show_type: 0
failed 0 0
1621018137.639125
ShellExecuteExW
parameters: install
filepath: 'C:\Program Files (x86)\EasyPDF\pdfprinter\easypdf_printer.exe'
filepath_r: 'C:\Program Files (x86)\EasyPDF\pdfprinter\easypdf_printer.exe'
show_type: 0
failed 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1621018157.32775
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (10 个事件)
Time & API Arguments Status Return Repeated
1621017709.268021
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1621017709.300021
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1621017716.690021
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1621017717.081021
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1621017717.925021
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1621017718.393021
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1621017718.456021
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1621017718.909021
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1621017718.925021
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1621017719.440021
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
Queries for potentially installed applications (9 个事件)
Time & API Arguments Status Return Repeated
1621018110.686125
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\EasyPDF
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\EasyPDF
options: 0
failed 2 0
1621018137.733125
RegOpenKeyExA
access: 0x00000108
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Redirection Port Monitor
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Redirection Port Monitor
options: 0
failed 2 0
1621018147.67175
RegOpenKeyExW
access: 0x00020019
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\EasyPDF
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\EasyPDF
options: 0
failed 2 0
1621018147.67175
RegOpenKeyExW
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x000000f8
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\EasyPDF
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\EasyPDF
options: 0
success 0 0
1621018147.67175
RegOpenKeyExW
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\EasyPDF
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\EasyPDF
options: 0
failed 2 0
1621018153.43675
RegOpenKeyExW
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Foxit Reader
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Foxit Reader
options: 0
failed 2 0
1621018153.43675
RegOpenKeyExW
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Foxit Reader
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Foxit Reader
options: 0
failed 2 0
1621018153.43675
RegOpenKeyExW
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Foxit Reader_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Foxit Reader_is1
options: 0
failed 2 0
1621018153.43675
RegOpenKeyExW
access: 0x00020119
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Foxit Reader_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Foxit Reader_is1
options: 0
failed 2 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Checks the CPU name from registry, possibly for anti-virtualization (1 个事件)
registry HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1621018160.04675
RegSetValueExA
key_handle: 0x0000041c
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1621018160.04675
RegSetValueExA
key_handle: 0x0000041c
value: à”xÓH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1621018160.04675
RegSetValueExA
key_handle: 0x0000041c
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1621018160.04675
RegSetValueExW
key_handle: 0x0000041c
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1621018160.04675
RegSetValueExA
key_handle: 0x00000434
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1621018160.04675
RegSetValueExA
key_handle: 0x00000434
value: à”xÓH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1621018160.04675
RegSetValueExA
key_handle: 0x00000434
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1621018160.17175
RegSetValueExW
key_handle: 0x00000418
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Generates some ICMP traffic
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.24.14:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2009-12-06 06:50:46

Imports

Library KERNEL32.dll:
0x407060 CompareFileTime
0x407064 SearchPathA
0x407068 GetShortPathNameA
0x40706c GetFullPathNameA
0x407070 MoveFileA
0x407078 GetFileAttributesA
0x40707c GetLastError
0x407080 CreateDirectoryA
0x407084 SetFileAttributesA
0x407088 Sleep
0x40708c GetTickCount
0x407090 CreateFileA
0x407094 GetFileSize
0x407098 GetModuleFileNameA
0x40709c GetCurrentProcess
0x4070a0 CopyFileA
0x4070a4 ExitProcess
0x4070a8 SetFileTime
0x4070ac GetTempPathA
0x4070b0 GetCommandLineA
0x4070b4 SetErrorMode
0x4070b8 LoadLibraryA
0x4070bc lstrcpynA
0x4070c0 GetDiskFreeSpaceA
0x4070c4 GlobalUnlock
0x4070c8 GlobalLock
0x4070cc CreateThread
0x4070d0 CreateProcessA
0x4070d4 RemoveDirectoryA
0x4070d8 GetTempFileNameA
0x4070dc lstrlenA
0x4070e0 lstrcatA
0x4070e4 GetSystemDirectoryA
0x4070e8 GetVersion
0x4070ec CloseHandle
0x4070f0 lstrcmpiA
0x4070f4 lstrcmpA
0x4070fc GlobalFree
0x407100 GlobalAlloc
0x407104 WaitForSingleObject
0x407108 GetExitCodeProcess
0x40710c GetModuleHandleA
0x407110 LoadLibraryExA
0x407114 GetProcAddress
0x407118 FreeLibrary
0x40711c MultiByteToWideChar
0x407128 WriteFile
0x40712c ReadFile
0x407130 MulDiv
0x407134 SetFilePointer
0x407138 FindClose
0x40713c FindNextFileA
0x407140 FindFirstFileA
0x407144 DeleteFileA
Library USER32.dll:
0x40716c EndDialog
0x407170 ScreenToClient
0x407174 GetWindowRect
0x407178 EnableMenuItem
0x40717c GetSystemMenu
0x407180 SetClassLongA
0x407184 IsWindowEnabled
0x407188 SetWindowPos
0x40718c GetSysColor
0x407190 GetWindowLongA
0x407194 SetCursor
0x407198 LoadCursorA
0x40719c CheckDlgButton
0x4071a0 GetMessagePos
0x4071a4 LoadBitmapA
0x4071a8 CallWindowProcA
0x4071ac IsWindowVisible
0x4071b0 CloseClipboard
0x4071b4 SetClipboardData
0x4071b8 EmptyClipboard
0x4071bc RegisterClassA
0x4071c0 TrackPopupMenu
0x4071c4 AppendMenuA
0x4071c8 CreatePopupMenu
0x4071cc GetSystemMetrics
0x4071d0 SetDlgItemTextA
0x4071d4 GetDlgItemTextA
0x4071d8 MessageBoxIndirectA
0x4071dc CharPrevA
0x4071e0 DispatchMessageA
0x4071e4 PeekMessageA
0x4071e8 DestroyWindow
0x4071ec CreateDialogParamA
0x4071f0 SetTimer
0x4071f4 SetWindowTextA
0x4071f8 PostQuitMessage
0x4071fc SetForegroundWindow
0x407200 wsprintfA
0x407204 SendMessageTimeoutA
0x407208 FindWindowExA
0x407210 CreateWindowExA
0x407214 GetClassInfoA
0x407218 DialogBoxParamA
0x40721c CharNextA
0x407220 OpenClipboard
0x407224 ExitWindowsEx
0x407228 IsWindow
0x40722c GetDlgItem
0x407230 SetWindowLongA
0x407234 LoadImageA
0x407238 GetDC
0x40723c EnableWindow
0x407240 InvalidateRect
0x407244 SendMessageA
0x407248 DefWindowProcA
0x40724c BeginPaint
0x407250 GetClientRect
0x407254 FillRect
0x407258 DrawTextA
0x40725c EndPaint
0x407260 ShowWindow
Library GDI32.dll:
0x40703c SetBkColor
0x407040 GetDeviceCaps
0x407044 DeleteObject
0x407048 CreateBrushIndirect
0x40704c CreateFontIndirectA
0x407050 SetBkMode
0x407054 SetTextColor
0x407058 SelectObject
Library SHELL32.dll:
0x407154 SHBrowseForFolderA
0x407158 SHGetFileInfoA
0x40715c ShellExecuteA
0x407160 SHFileOperationA
Library ADVAPI32.dll:
0x407000 RegQueryValueExA
0x407004 RegSetValueExA
0x407008 RegEnumKeyA
0x40700c RegEnumValueA
0x407010 RegOpenKeyExA
0x407014 RegDeleteKeyA
0x407018 RegDeleteValueA
0x40701c RegCloseKey
0x407020 RegCreateKeyExA
Library COMCTL32.dll:
0x407028 ImageList_AddMasked
0x40702c ImageList_Destroy
0x407030
0x407034 ImageList_Create
Library ole32.dll:
0x407278 CoTaskMemFree
0x40727c OleInitialize
0x407280 OleUninitialize
0x407284 CoCreateInstance
Library VERSION.dll:
0x40726c GetFileVersionInfoA
0x407270 VerQueryValueA

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49236 113.108.239.161 redirector.gvt1.com 80
192.168.56.101 49235 113.108.239.162 update.googleapis.com 443
192.168.56.101 49237 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49238 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49233 172.67.130.236 www.easypdf.net 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 62191 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355
192.168.56.101 53945 239.255.255.250 1900
192.168.56.101 50002 8.8.8.8 53
192.168.56.101 50568 8.8.8.8 53
192.168.56.101 53237 8.8.8.8 53

HTTP & HTTPS Requests

URI Data
http://www.EasyPDF.net/latestVersion.txt?v=0.2 
GET /latestVersion.txt?v=0.2 HTTP/1.1
User-Agent: BaseHTTP
Host: www.EasyPDF.net
Cache-Control: no-cache
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=f92f6e27fe1cbd5d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620989064&mv=m&mvi=3 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=f92f6e27fe1cbd5d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620989064&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-7125
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620989064&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620989064&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=f92f6e27fe1cbd5d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620989064&mv=m&mvi=3 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=f92f6e27fe1cbd5d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620989064&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=f92f6e27fe1cbd5d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620989064&mv=m&mvi=3 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=f92f6e27fe1cbd5d&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620989064&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=7126-18162
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.