13.4
0-day
39 个模型检测该样本为恶意!
重新分析
更多

ab4b88ea37d6cfd5f6510acb73a14c27b5ef89f3a0103ac9f36cc465579c16c5

daaf84966d5d348ba931443dc34e697e.exe

分析耗时

129s

最近分析

文件大小

329.1KB
静态报毒 动态报毒 ABWZ AKVV BBKH BPZOAT CUAD EMAILWORM GENERIC33 GENETIC HLUX KCLOUD KRYPTIK LUDER MUZ4YEOLGQU R47CCEH SMALLWORM TEPFER TZOI VIKNOK ZBOT ZEUS 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Agent-FCC!DAAF84966D5D 20131201 5.600.0.1067
Avast Win32:Viknok-I [Trj] 20131201 8.0.1489.320
Kingsoft Worm.Luder.ab.(kcloud) 20130829 2013.4.9.267
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619948412.017719
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Command line console output was observed (50 out of 61 个事件)
Time & API Arguments Status Return Repeated
1619951550.383249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951550.508249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951550.601249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951550.617249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951550.679249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951550.695249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951550.758249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951550.773249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951550.914249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951550.914249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951551.023249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951551.054249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951551.226249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951551.242249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951551.351249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951551.367249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951551.429249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951551.445249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951551.586249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951551.601249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951551.695249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951551.711249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951551.836249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951551.867249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951551.992249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951551.992249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951552.148249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951552.148249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951552.211249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951552.226249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951552.383249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951552.554249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951552.773249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951552.773249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951553.023249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951553.023249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951553.398249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951553.492249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951553.820249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951553.851249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951554.101249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951554.133249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951554.211249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951554.211249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951554.273249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951554.273249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951554.351249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951554.351249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
1619951554.429249
WriteConsoleW
buffer: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
console_handle: 0x00000007
success 1 0
1619951554.429249
WriteConsoleW
buffer: 拒绝访问。
console_handle: 0x0000000b
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (2 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\DigitalProductId
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\InstallDate
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619948411.986719
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:4277731630&cup2hreq=714a8b1e03f31c94d4c72c140f79884f0dd83feb6009cfdcd72ff90fb3c57779
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619922494&mv=m&mvi=4&pl=17&shardbypass=yes
request GET http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619922494&mv=m&mvi=4&pl=17&shardbypass=yes
request POST https://update.googleapis.com/service/update2?cup2key=10:4277731630&cup2hreq=714a8b1e03f31c94d4c72c140f79884f0dd83feb6009cfdcd72ff90fb3c57779
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:4277731630&cup2hreq=714a8b1e03f31c94d4c72c140f79884f0dd83feb6009cfdcd72ff90fb3c57779
Allocates read-write-execute memory (usually to unpack itself) (50 out of 111 个事件)
Time & API Arguments Status Return Repeated
1619948410.111719
NtAllocateVirtualMemory
process_identifier: 324
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00470000
success 0 0
1619948410.111719
NtAllocateVirtualMemory
process_identifier: 324
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x005e0000
success 0 0
1619948410.127719
NtProtectVirtualMemory
process_identifier: 324
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 290816
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619948410.173719
NtAllocateVirtualMemory
process_identifier: 324
region_size: 159744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004b0000
success 0 0
1619951616.789001
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000003e70000
success 0 0
1619951548.600499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00470000
success 0 0
1619951548.616499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 225280
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004b0000
success 0 0
1619951548.632499
NtProtectVirtualMemory
process_identifier: 2128
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 290816
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619951548.710499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 159744
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00500000
success 0 0
1619951548.819499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02210000
success 0 0
1619951548.835499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02220000
success 0 0
1619951548.835499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026b0000
success 0 0
1619951548.850499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02680000
success 0 0
1619951548.866499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02690000
success 0 0
1619951548.866499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026a0000
success 0 0
1619951548.866499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02790000
success 0 0
1619951548.882499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027a0000
success 0 0
1619951548.882499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027b0000
success 0 0
1619951548.897499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027c0000
success 0 0
1619951548.897499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027d0000
success 0 0
1619951548.897499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027e0000
success 0 0
1619951548.928499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027f0000
success 0 0
1619951548.928499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02800000
success 0 0
1619951548.975499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02810000
success 0 0
1619951548.975499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02820000
success 0 0
1619951549.022499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02830000
success 0 0
1619951549.022499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02840000
success 0 0
1619951549.038499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02850000
success 0 0
1619951549.038499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02860000
success 0 0
1619951549.038499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02870000
success 0 0
1619951549.038499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02880000
success 0 0
1619951549.053499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02760000
success 0 0
1619951549.069499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02770000
success 0 0
1619951549.085499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02780000
success 0 0
1619951549.085499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02890000
success 0 0
1619951549.085499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028a0000
success 0 0
1619951549.085499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028b0000
success 0 0
1619951549.085499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028c0000
success 0 0
1619951549.085499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028d0000
success 0 0
1619951549.085499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028e0000
success 0 0
1619951549.100499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028f0000
success 0 0
1619951549.100499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02900000
success 0 0
1619951549.100499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02910000
success 0 0
1619951549.100499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02920000
success 0 0
1619951549.100499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02930000
success 0 0
1619951549.100499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02940000
success 0 0
1619951549.100499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02950000
success 0 0
1619951549.100499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02960000
success 0 0
1619951549.132499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026c0000
success 0 0
1619951549.147499
NtAllocateVirtualMemory
process_identifier: 2128
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026d0000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Foreign language identified in PE resource (3 个事件)
name RT_STRING language LANG_PORTUGUESE offset 0x0005f4ac filetype data sublanguage SUBLANG_PORTUGUESE_BRAZILIAN size 0x00000132
name RT_STRING language LANG_PORTUGUESE offset 0x0005f4ac filetype data sublanguage SUBLANG_PORTUGUESE_BRAZILIAN size 0x00000132
name RT_VERSION language LANG_TURKISH offset 0x0005f5f4 filetype zlib compressed data sublanguage SUBLANG_NEUTRAL size 0x00000178
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp0284120d.bat
Creates a service (1 个事件)
Time & API Arguments Status Return Repeated
1619948415.330719
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x00516090
display_name: Security Center Server - 3129169727
error_control: 1
service_name: SecurityCenterServer3129169727
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe"
filepath_r: "C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe"
service_manager_handle: 0x00516248
desired_access: 983551
service_type: 16
password:
success 5333136 0
Creates a suspicious process (1 个事件)
cmdline "C:\Windows\system32\cmd.exe" /c "C:\Users\ADMINI~1.OSK\AppData\Local\Temp\tmp0284120d.bat"
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\daaf84966d5d348ba931443dc34e697e.exe
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619951558.178751
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (4 个事件)
entropy 7.915664145632469 section {'size_of_data': '0x00032800', 'virtual_address': '0x00001000', 'entropy': 7.915664145632469, 'name': '.text', 'virtual_size': '0x000326a2'} description A section with a high entropy has been found
entropy 7.739584072764145 section {'size_of_data': '0x00005200', 'virtual_address': '0x0003a000', 'entropy': 7.739584072764145, 'name': '.data', 'virtual_size': '0x00018f46'} description A section with a high entropy has been found
entropy 6.974412612362035 section {'size_of_data': '0x00003800', 'virtual_address': '0x00068000', 'entropy': 6.974412612362035, 'name': '.data', 'virtual_size': '0x00003612'} description A section with a high entropy has been found
entropy 0.7232415902140673 description Overall entropy of this PE file is high
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619951557.928751
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 268435456
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1619951582.178751
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3248
process_handle: 0x00000484
failed 0 0
1619951582.178751
NtTerminateProcess
status_code: 0x00000000
process_identifier: 3248
process_handle: 0x00000484
success 0 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Installs itself for autorun at Windows startup (50 out of 1564 个事件)
service_name SecurityCenterServer3129169727 service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\winsec32.exe" -service "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe"
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe"
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe"
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Leipx reg_value C:\Users\Administrator.Oskar-PC\AppData\Roaming\Cipoud\adlaa.exe
Disables proxy possibly for traffic interception (1 个事件)
Time & API Arguments Status Return Repeated
1619951557.788751
RegSetValueExA
key_handle: 0x000003c0
value: 0
regkey_r: ProxyEnable
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
success 0 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619951560.757751
RegSetValueExA
key_handle: 0x000004d8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619951560.757751
RegSetValueExA
key_handle: 0x000004d8
value: PfŠ"?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619951560.757751
RegSetValueExA
key_handle: 0x000004d8
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619951560.757751
RegSetValueExW
key_handle: 0x000004d8
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619951560.772751
RegSetValueExA
key_handle: 0x000004c4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619951560.772751
RegSetValueExA
key_handle: 0x000004c4
value: PfŠ"?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619951560.772751
RegSetValueExA
key_handle: 0x000004c4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619951560.803751
RegSetValueExW
key_handle: 0x000004c0
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 2128 resumed a thread in remote process 3096
Time & API Arguments Status Return Repeated
1619951550.257499
NtResumeThread
thread_handle: 0x0000023c
suspend_count: 1
process_identifier: 3096
success 0 0
Creates and runs a batch file to remove the original binary (1 个事件)
file 2ebe012d473eaded_tmp0284120d.bat
Zeus P2P (Banking Trojan) (19 个事件)
mutex Global\{73B5E851-A2E2-98BC-AB87-B4BE3747EB7D}
mutex Global\{E5A25620-1C93-0EAB-99EF-043E052F5BFD}
mutex Local\{39F53B74-71C7-D2FC-AB87-B4BE3747EB7D}
mutex Global\{83EC1E3F-548C-68E5-AB87-B4BE3747EB7D}
mutex Local\{12535E46-14F5-F95A-AB87-B4BE3747EB7D}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 25412, 'time': 6.275002956390381, 'dport': 5355, 'sport': 49235}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 25740, 'time': 24.230030059814453, 'dport': 5355, 'sport': 51808}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 26060, 'time': 121.49058794975281, 'dport': 5355, 'sport': 53380}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 26380, 'time': 4.045793056488037, 'dport': 5355, 'sport': 56804}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 26716, 'time': 91.67192506790161, 'dport': 5355, 'sport': 57756}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 27036, 'time': 89.31255507469177, 'dport': 5355, 'sport': 57874}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 27356, 'time': 6.188605070114136, 'dport': 5355, 'sport': 60123}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 27692, 'time': 95.52281403541565, 'dport': 5355, 'sport': 60384}
udp {'src': '192.168.56.101', 'dst': '224.0.0.252', 'offset': 28012, 'time': 4.432161092758179, 'dport': 5355, 'sport': 62191}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 28340, 'time': 4.561850070953369, 'dport': 1900, 'sport': 1900}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 47750, 'time': 9.160023927688599, 'dport': 3702, 'sport': 50535}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 50606, 'time': 5.209187984466553, 'dport': 3702, 'sport': 56540}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 53334, 'time': 6.282150030136108, 'dport': 1900, 'sport': 56807}
udp {'src': '192.168.56.101', 'dst': '239.255.255.250', 'offset': 58610, 'time': 4.057638883590698, 'dport': 3702, 'sport': 58707}
Generates some ICMP traffic
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 142.250.66.110:443
File has been identified by 39 AntiVirus engines on VirusTotal as malicious (39 个事件)
MicroWorld-eScan Worm.Generic.434906
nProtect Trojan/W32.Agent.336956.B
McAfee Agent-FCC!DAAF84966D5D
Malwarebytes Trojan.Agent.VOS
K7AntiVirus EmailWorm ( 004374c61 )
K7GW EmailWorm ( 004374c61 )
TheHacker Trojan/Kryptik.bbkh
NANO-Antivirus Trojan.Win32.Luder.bpzoat
Symantec Trojan.ADH.2
Norman Smallworm.CUAD
TrendMicro-HouseCall TROJ_GEN.R47CCEH
Avast Win32:Viknok-I [Trj]
Kaspersky Worm.Win32.Luder.abwz
BitDefender Worm.Generic.434906
Agnitum Worm.Luder!muZ4YEOLGQU
SUPERAntiSpyware Trojan.Agent/Gen-Autorun
Ad-Aware Worm.Generic.434906
Sophos Mal/Generic-S
Comodo UnclassifiedMalware
F-Secure Worm.Generic.434906
DrWeb Trojan.Packed.194
VIPRE Trojan.Win32.Kryptik.m (v)
AntiVir Worm/Luder.abwz
TrendMicro TROJ_GEN.R47CCEH
McAfee-GW-Edition Agent-FCC!DAAF84966D5D
Emsisoft Worm.Generic.434906 (B)
Antiy-AVL Worm/Win32.Luder.gen
Kingsoft Worm.Luder.ab.(kcloud)
Microsoft PWS:Win32/Zbot.gen!AP
AhnLab-V3 Trojan/Win32.Tepfer
GData Worm.Generic.434906
Commtouch W32/Trojan.TZOI-8030
VBA32 Heur.Trojan.Hlux
Baidu-International Worm.Win32.Luder.akVv
ESET-NOD32 a variant of Win32/Kryptik.BBKH
Ikarus Worm.Win32.Luder
Fortinet W32/Tepfer.MQ!tr
AVG Generic33.NIH
Panda Trj/Genetic.gen
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2010-05-25 22:42:44

Imports

Library MSVCRT.dll:
0x438000 __set_app_type
0x438004 __p__dstbias
0x438008 exit
0x43800c _aexit_rtn
0x438010 __p__commode
0x438014 _wstat64
0x438018 __getmainargs
0x43801c ??1bad_cast@@UAE@XZ
0x438020 _mbsnbcmp
0x438024 _mbsncmp
0x438028 towupper
0x43802c _ismbckata
0x438030 putwchar
0x438034 _ismbcl2
0x438038 _lseek
0x43803c _close
0x438040 sinh
0x438044 strtol
0x438048 _dup2
0x43804c wprintf
0x438050 _ismbcupper
0x438054 _mbcjistojms
Library GDI32.dll:
0x438064 DdEntry42
0x438068 CreateBitmap
0x43806c CreateEnhMetaFileA
0x438070 SetDIBitsToDevice
0x438074 STROBJ_bEnum
0x438078 StrokePath
0x43807c PlgBlt
0x438080 EngAlphaBlend
0x438084 EnumICMProfilesA
0x438088 GetEnhMetaFileBits
0x43808c DdEntry21
0x438090 DdEntry15
0x438094 PATHOBJ_vEnumStart
0x438098 GdiAlphaBlend
0x43809c GetViewportExtEx
0x4380a0 GdiPlayEMF
0x4380a4 DdEntry9
0x4380a8 DdEntry43
0x4380b0 DdEntry27
0x4380b4 SetDCPenColor
0x4380b8 FONTOBJ_cGetGlyphs
0x4380bc GetWorldTransform
0x4380c0 CloseMetaFile
0x4380c4 GetTextMetricsA
0x4380cc UnloadNetworkFonts
0x4380d0 GetMetaRgn
0x4380d4 GetEnhMetaFileW
0x4380d8 GetRgnBox
0x4380dc FontIsLinked
0x4380e4 GetWinMetaFileBits
0x4380e8 GetRegionData
0x4380f0 StartPage
0x4380f4 GetDeviceCaps
Library KERNEL32.dll:
0x4380fc SetSystemTime
0x438100 LoadLibraryW
0x438104 GetBinaryTypeA
0x438110 GetNumberFormatW
0x438114 GetSystemInfo
0x438118 ReplaceFileW
0x438124 IsBadStringPtrW
0x43812c SizeofResource
0x438134 FindFirstVolumeA
0x438138 GetStringTypeW
0x438144 IsBadWritePtr
0x43814c VirtualLock
0x438150 EnumSystemLocalesA
0x438154 GetCPInfoExW
0x43815c EnumCalendarInfoExA
0x438160 GetCurrentProcessId
0x438164 GetFileType
0x438168 LZCloseFile
0x43816c FindNextFileA
0x438170 SetLastError
0x438178 WriteProfileStringW
0x43817c VerifyVersionInfoA
0x438180 ReleaseMutex
0x438184 CancelWaitableTimer
0x43818c GlobalAlloc
0x438194 SetFileShortNameA
0x438198 DeleteFiber
0x43819c HeapSetInformation
Library ADVAPI32.dll:
0x4381a8 UpdateTraceW
0x4381ac RegReplaceKeyA
0x4381b0 CloseTrace
0x4381b4 GetFileSecurityA
0x4381bc GetServiceKeyNameA
0x4381cc SaferCloseLevel
0x4381d0 CryptEnumProvidersA
0x4381d4 EncryptionDisable
0x4381e0 GetTrusteeTypeW
0x4381e8 SystemFunction020
0x4381f4 SetTraceCallback
0x4381f8 CryptDestroyHash
0x438208 RegCreateKeyExW
0x43820c RemoveTraceCallback
Library MAPISTUB.dll:
0x438214 HrComposeEID@28
0x438218 HrDecomposeMsgID@24
0x43821c WrapProgress@20
0x438220 cmc_send_documents
0x438224 FtMulDwDw@8
0x438228 FtMulDw@12
0x438234 BMAPISendMail
0x438238 BMAPIGetReadMail
0x43823c ScCountProps@12
0x438240 UlFromSzHex@4
0x438244 MAPIInitIdle@4
Library WINTRUST.dll:
0x438254 DriverCleanupPolicy

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49190 113.108.239.162 update.googleapis.com 443
192.168.56.101 49191 180.163.150.161 redirector.gvt1.com 80
192.168.56.101 49192 58.63.233.69 r4---sn-j5o76n7l.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 60384 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900
192.168.56.101 50535 239.255.255.250 3702
192.168.56.101 56540 239.255.255.250 3702
192.168.56.101 56807 239.255.255.250 1900

HTTP & HTTPS Requests

URI Data
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619922494&mv=m&mvi=4&pl=17&shardbypass=yes 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619922494&mv=m&mvi=4&pl=17&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=31922-43277
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619922494&mv=m&mvi=4&pl=17&shardbypass=yes 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619922494&mv=m&mvi=4&pl=17&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=43278-67035
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619922494&mv=m&mvi=4&pl=17&shardbypass=yes 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619922494&mv=m&mvi=4&pl=17&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=6867-17909
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619922494&mv=m&mvi=4&pl=17&shardbypass=yes 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619922494&mv=m&mvi=4&pl=17&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-6866
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619922494&mv=m&mvi=4&pl=17&shardbypass=yes 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619922494&mv=m&mvi=4&pl=17&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=17910-31921
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619922494&mv=m&mvi=4&pl=17&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619922494&mv=m&mvi=4&pl=17&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.