SmartHawk

2.2

中危

51 个模型检测该样本为恶意！

重新分析

下载样本

0b4d6ec4bfbc48e2616bfbe592ca9769a0f03d6f43d41cabdbab5e97129ae541

0b4d6ec4bfbc48e2616bfbe592ca9769a0f03d6f43d41cabdbab5e97129ae541.exe

分析耗时

135s

最近分析

383天前

文件大小

26.3KB

静态报毒动态报毒 CVE FAMILY METATYPE PLATFORM TYPE UNKNOWN WIN32 TROJAN GENERICKDZ

DACN 0.12

FACILE 1.00

IMCLNet 0.60

MFGraph 0.00

引擎	描述	特征	威胁分数	可能家族	检测耗时
DACN	基于动态分析和胶囊网络的可视化恶意软件检测	API调用、DLL以及注册表的修改情况	0.12	Unknown	0.07s
FACILE	利用改进的层次胶囊网络对二进制恶意软件图像进行识别分类	二进制图像映射为的灰度图像	1.00	Unknown	0.06s
IMCLNet	轻量化深度卷积网络模型实现恶意软件家族检测	原始二进制映射而成的可视化图像	0.60	Unknown	0.21s
MFGraph	利用静态特征构建图网络以检测恶意软件	原始二进制PE文件的静态特征节点	0.00	Unknown	0.00s

查杀引擎	查杀结果	查杀时间	查杀版本
Avast	Win32:Malware-gen	20190914	18.4.3895.0
Baidu	None	20190318	1.0.0.2
CrowdStrike	win/malicious_confidence_100% (D)	20190702	1.0
Kingsoft	None	20190914	2013.8.14.323
McAfee	GenericRXGP-KT!8C9F558FD80E	20190914	6.0.6.653
Tencent	None	20190914	1.0.0.1

在文件系统上创建可执行文件 (18 个事件)

file	C:\Users\Administrator\AppData\Local\Temp\DEM2B29.exe
file	C:\Windows\CTS.exe
file	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2010_x86_Redistributable_vcredist_x86.exe
file	C:\Users\Administrator\AppData\Local\Temp\cpuz_x64.exe
file	C:\Users\Administrator\AppData\Local\Temp\5d895343d099053ee9ebbad5d42826b3d5a45e8fa32f48cf6b1cae1fc08cbd4a.exe
file	C:\Users\Administrator\AppData\Local\Temp\{5612CBE7-9CDF-4014-9454-1A3AE75C0CEE}.tmp\rootsupd.exe
file	C:\Users\Administrator\AppData\Local\Temp\gz50Fvw2X0c4C6H.exe
file	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2008_Redistributable_vcredist_x64.exe
file	C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OMOXBAGH\Firefox%20Installer[1].exe
file	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2012_x86_vcredist_x86.exe
file	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2008_Redistributable_vcredist_x86.exe
file	C:\Users\Administrator\AppData\Local\Temp\drvmgr\directx_jun2010_redist.exe
file	C:\Users\Administrator\AppData\Local\Temp\drvmgr\DXSETUP.exe
file	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2012_x64_vcredist_x64.exe
file	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2010_x64_Redistributable_vcredist_x64.exe
file	C:\Users\Administrator\Downloads\guanwang__360DrvMgrInstaller_beta.exe
file	C:\Users\Administrator\AppData\Local\Temp\DEMD8FD.exe
file	C:\Users\Administrator\AppData\Local\Temp\DEM831D.exe

投放一个二进制文件并执行它 (1 个事件)

file	C:\Windows\CTS.exe

将可执行文件投放到用户的 AppData 文件夹 (16 个事件)

file	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2010_x86_Redistributable_vcredist_x86.exe
file	C:\Users\Administrator\AppData\Local\Temp\drvmgr\DXSETUP.exe
file	C:\Users\Administrator\AppData\Local\Temp\gz50Fvw2X0c4C6H.exe
file	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2008_Redistributable_vcredist_x64.exe
file	C:\Users\Administrator\AppData\Local\Temp\cpuz_x64.exe
file	C:\Users\Administrator\AppData\Local\Temp\{5612CBE7-9CDF-4014-9454-1A3AE75C0CEE}.tmp\rootsupd.exe
file	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2012_x64_vcredist_x64.exe
file	C:\Users\Administrator\AppData\Local\Temp\5d895343d099053ee9ebbad5d42826b3d5a45e8fa32f48cf6b1cae1fc08cbd4a.exe
file	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2010_x64_Redistributable_vcredist_x64.exe
file	C:\Users\Administrator\AppData\Local\Temp\drvmgr\directx_jun2010_redist.exe
file	C:\Users\Administrator\AppData\Local\Temp\DEMD8FD.exe
file	C:\Users\Administrator\AppData\Local\Temp\DEM831D.exe
file	C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OMOXBAGH\Firefox%20Installer[1].exe
file	C:\Users\Administrator\AppData\Local\Temp\DEM2B29.exe
file	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2012_x86_vcredist_x86.exe
file	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2008_Redistributable_vcredist_x86.exe

该二进制文件可能包含加密或压缩数据，表明使用了打包工具 (2 个事件)

section

{'name': 'UPX1', 'virtual_address': '0x0000f000', 'virtual_size': '0x00007000', 'size_of_data': '0x00006200', 'entropy': 7.8382833206000795}

entropy

7.8382833206000795

description

发现高熵的节

entropy

0.98

description

此PE文件的整体熵值较高

可执行文件使用UPX压缩 (3 个事件)

section	UPX0	description	节名称指示UPX
section	UPX1	description	节名称指示UPX
section	UPX2	description	节名称指示UPX

与未执行 DNS 查询的主机进行通信 (1 个事件)

host

114.114.114.114

在 Windows 启动时自我安装以实现自动运行 (2 个事件)

reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS				reg_value	C:\Windows\CTS.exe
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS				reg_value	C:\Windows\CTS.exe

文件已被 VirusTotal 上 51 个反病毒引擎识别为恶意 (50 out of 51 个事件)

APEX	Malicious
AVG	Win32:Malware-gen
Acronis	suspicious
Ad-Aware	Trojan.GenericKDZ.53029
AhnLab-V3	Malware/RL.Generic.R246075
Antiy-AVL	Trojan/Win32.AGeneric
Arcabit	Trojan.Generic.DCF25
Avast	Win32:Malware-gen
Avira	HEUR/AGEN.1004962
BitDefender	Trojan.GenericKDZ.53029
CAT-QuickHeal	Trojan.Mauvaise.SL1
ClamAV	Win.Malware.Cmifao2i9nl-6825052-0
Comodo	Virus.Win32.Agent.VP@8ek9ga
CrowdStrike	win/malicious_confidence_100% (D)
Cybereason	malicious.daa0c0
Cylance	Unsafe
Cyren	W32/Trojan.ECUA-4313
DrWeb	Trojan.DownLoader23.51365
ESET-NOD32	a variant of Win32/Agent.NCK
Emsisoft	Trojan.GenericKDZ.53029 (B)
Endgame	malicious (moderate confidence)
F-Prot	W32/Trojan2.PZDI
F-Secure	Heuristic.HEUR/AGEN.1004962
FireEye	Generic.mg.f7677f1daa0c0051
Fortinet	W32/Agent.NCK!tr
GData	Trojan.GenericKDZ.53029
Ikarus	Virus.Win32.Agent
Invincea	heuristic
Jiangmin	Trojan.Agent.brls
K7AntiVirus	Trojan ( 0000e1321 )
K7GW	Trojan ( 0000e1321 )
Kaspersky	Trojan.Win32.Agent.neyndy
Lionic	Trojan.Win32.Agent.tpMQ
MAX	malware (ai score=89)
Malwarebytes	Trojan.Agent
McAfee	GenericRXGP-KT!8C9F558FD80E
McAfee-GW-Edition	BehavesLike.Win32.PWSOnlineGames.mc
MicroWorld-eScan	Trojan.GenericKDZ.53029
Microsoft	Trojan:Win32/Wacatac.B!ml
NANO-Antivirus	Trojan.Win32.RP.fkilpx
Qihoo-360	HEUR/QVM11.1.E003.Malware.Gen
Rising	Ransom.Satan!1.B5F1 (CLASSIC)
SentinelOne	DFI - Suspicious PE
Sophos	W32/CTSInf-B
Symantec	ML.Attribute.HighConfidence
TACHYON	Trojan/W32.Agent.60729.B
Trapmine	malicious.high.ml.score
VBA32	Trojan.Agent
Webroot	W32.Trojan.Genkdz
Yandex	Trojan.Agent!BgCNgJOEhBE

288x288

224x224

192x192

160x160

128x128

96x96

64x64

32x32

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2015-05-05 21:45:31

PE Imphash

f1a539a5b71ad53ac586f053145f08ec

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
UPX0	0x00001000	0x0000e000	0x00000000	0.0
UPX1	0x0000f000	0x00007000	0x00006200	7.8382833206000795
UPX2	0x00016000	0x00001000	0x00000200	2.9046664760200502

Imports

Library ADVAPI32.dll:

• 0x416064 RegCloseKey

Library KERNEL32.DLL:

• 0x41606c LoadLibraryA

• 0x416070 ExitProcess

• 0x416074 GetProcAddress

• 0x416078 VirtualProtect

Library ntdll.dll:

• 0x416080 NtClose

Library USER32.dll:

• 0x416088 wsprintfW

L!This program cannot be run in DOS mode.
F.'}'}'}>>}'}><}'}>?}'}_b}'}'}'}
=}'}Rich'}
&2>{<L`6|
"2yBXj4y
<2Hb|<
 *>Vnyyzy
MBkIgv
CorExitProcesD
r:uVfsB
a *es"c`
?Jha C.
a"a?7vknVxeRekmxm.l
i&oJk5=
9ltZ= 
?eG2*2
#;5>;prnu
1yA^tmt#pwem33p
}'ak?<8\
*f3m_3_[$sM
LzmWdmW
gsby00X
ssSkcv/r 
%WfKLO-i
c /*l)4
sD'Mvi!
i? {xDXg[-Ca5v<TcO
8gS3G7TnOBS;G
n/mO ?
0w|\]f
l]cKgd!
aB:Ek<+
<uOMs_
kr'l-
7FlsAlloc
GetValu
S|AIniti
izeCrc
|k4c"onEx
maphof
"WpTh.dStackGuamranFeW5poolTimehO>_)WaF/
Clbsvsn
sh;WeBuffs
wpILibryWhenp!
RurnBxC
~Numbaw16Logw7
JnkWg~Defaul
Dir`ieZ
EnZsdm[
omp6tHngw
DFYpCn?U rUNa@Is
id)LCMh
We&ui.
s[7{Nn
jv('J.eA 
c_&ygrzgsz
sC~?88s01
PMM/dd/yd
(,HH:mm:=pW
TeW3hyp"
nnks#B'r#
l?eR9X>vNv
Vmr#Zh=l/~
 #J{SH
gD)pBoA_W
Wdowas'
kPopuxwObjJ
H ( *9 H
_[A #B
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`?!T
ABCDEFGHIJKLMNOPHQRSTUVWXYZ?
[./'*p*x*
#G !"9r#$%&=
6 7(89r098>@?H@#G
PAXC`Dhr
FpGxIJG
#VWZ^~9re
#G,%8&D'
9rP)\*h+t,#G-/29r
4567/G
94A@CLDdE
#pF|GI
9rJKLN
e k0l@A
&|yB 3qgrl
9r@LXCd
$09r<HT`#G
l&\8r
 Lv.?,s
9rDP\Mh9
Gtg>6%
9rN8/t
#gGoZ(
P+_~878
r#GH1(x:G&4
/?@#gg
PS/P2\y6'7&
hgg$?9qvtf
#G>;@0v
T9q6r9
(V#gGh
#Ho`x8;r
]73z@
|W #G_$b
4<OT{'
ut+aOijN.k
onnpvp_r/rh|9k
h%0ruF!o
o\p;ell_f_
Vw{*zoum.fn
ooiOs?vk
6anolk;?ySv/
E2'GZ/
E?-rR'
[.r/h_;>
?-UGu/S
bO.pPxXNgRW
uUr`RoKwtiKA.vE&ttT
rRqyKOdDw9iUeYl]
vvBNOM7
NM>6Zxv
oEwokO
7NtKTe//s*YkZ
h$wb=mO&
4iK/t
ekW7gl
rwwsm_Mcg
GrilcS
mSEg_g/
:8VnC[1yNe
GLnBTHmC
OI2bCo*
SM_;6EP/fG
SqgY6'B_\vOgn
GTsR+OBW
CGK/nH?
WqLGAU7kf/B_P/Q
O7{3q-
wKgyz1;
c/WXl/b
/_ioadf
er!y/ypduvwt7e4Vbruo
w.qA<W
qpw[*e
.nnrm/
1KGns;G
hmB?S
liocBnok?jj.nsEql
p/_yWv
guGpwGup"
fu`-$/B
jRTIK#
5MKPRrhD%^T^VVXZ
Zj>l{MX
_q!tpv&xRz
@c2527
^.6 ?w
%p6Wg=<(RFzCxke&yZI
PF{xT2wro2Ds
jr478^H
l6/0tP
+&= QTI
Q`ME><x@,
9]vWF_G'm
;}r_^[D
XX_[]XPSGw
KW#DY?
xA@#@28
jD4vlZP,
#ISp>G
0{hSP
`FEQ`d$/
p,-:&jvFb
C/|2iaQ
'Xwa?x
^f|$<.tJ&<3
$`8G<i
}56LqF,uh
!3W0 %T
>|OHcH
H|(o\h_` <
xH = I
W4QQJ/
Ju{fm>S
V'0|:c
8+F:^|u
<!POEj
EQO`YY
euZ0r}
Ska]Wa%
e4)C=dD7
o}Genuu_
ineIuV
luM\@_WE%?
N8csmu%x
S^`F`y
_F\pjd
9J~dFd
,*A&u di*4S
?x<vdj
~$jv$eK0g
r@DDHn\H~H
q&zvl#QjY;'s
i&Va{}p
L`fYNGh
g$&t3V
pjCXfh{
4\p0(l6_;
bl:hYc0x#
5W6\uah
]md$'x
uP"_wY_}8h
;HghrR^h
pnp-;}
{3jXh~
7"Sf*I=#Z
@VAy}pXu)@*<v5}!
-%iRp+
IBx@_{t'W7-u{h:
 ho-|~tIU
_3^8~F|[S
v/j@j _
tDk[} 
} wE }?Z^=[UU
vM`jG@z
6>r!0@
"Sxa/8
4Xu;`%p
&_y98j
~a"f;5\
tDwYdX
zukdgx0
lYP^Ge
N@-zILt
+WtGqER6
]}%;d6t
VHQVxzu
~~wYCg%
e@0pD 
2 ,<=u\_
]6,K+C9*v
?Vj ^yw
vTG~hT-/Mi([
^21,"6!t
Mufd]D8\pd
Q@x8ug
WQeR0mh
pp|[>K;~N
6Q<P_)
hx?4+\VL
S\)H!k
d--*0z
@pPV1sP
W3dKT<'Y2
8N3sBh=7[
P?I/||j
j3N(Jg7
Nst6rxt
-|Du}~
Q4_[@a
/pl []
FlP\kFg?]k
t4J0;t(W8m
>v;-(t&
WtA@I9,SG
'fO$fMc
V].!;VfIGh[lUe8
;aqnh {
po33S{qxt`
M,A3)}
VZfm.s_W~W
9$[/+rA0(=}b3
>4J{02#S%
FP-^r&
n9]vO}]t!PV
xvlUh$
[s^MUgFk0
t5ADt+
|C;vf9x
ROuk`]_^%[(
Rn8cchY
FWD__5
sGlmV"cS
/j(P3MP
) v$mT6i
%#HMra
5w<Cw6
/y&>t1
vYJHrp$0w
^{DluHPU
0~^w\VzQ
-EzIR=
G`pg`VM1uA
D(r@;}&kVdU
bA?9:C
tAa0r2"
J_Bild
9u&z3r
3v%O +*
_[t.|
WK~?(m$
?)$9}t
;tO9=0G%iSJM0
ZUe(hu
|b#?nT$
;v.4v\
(QBJ(U1L
lRQ2tG
8"1w{H
$V5714
YO;r"D
Ufg*YH]@
>Z6B0s$[
"WtL)||$R
OVdgkL;=
0gh>(n00
en+o 0}l
<|DD<<<;(hB
Wt1|9Wp+
';;22+hCd
FqkOHgbNZ
,'wAWS3
nP}>v`~p0g&
FFJu8O
lZIu$t
!++Qc`/?
YkVX!#
(}^ZKu
FV4crCu^
%  $$r88<<\r@@DD.\.HHLL
$(,0''''4
DHLP\prTX
\`dhlptx|K
L2$2$$L&`2e
dIdI&I&I&d
 $dI&(,0I&48<@`@eDH$L2LPTL2X\`
|$9E8RNJX8
~KYAr?
&&QSc($
-,*SYE
t, H)U@
u`sop1z~B
0xu|!h
s=~AQiw9]=3
 +]#LYD)
NjA[jZZ+U
t"ff5n
8x$;ag
<#6ic}Ou[Y/
!a0O`pY
r!}9%R
5C;0SGYDG
A$A$]6
5=fZg0
UQPX^Y[
^}SD\v
AuAApKu:7
@X fV+rZ/J<xifcZ
x?F}5$
ttW(J=N?<8(
nA_e!M5* ]+6ae
8cV7v_x
}?)LV DpY
d3FVv@D
<,!3~9U
.>!8K
RRP>m3TY
;Cg!$
Pe~,8n=?
vZh]@9H4W&
!]SZej%tVDxmQ
$QPcIM
j\B~<]
T@y=RtU$<
*B%H@1%
(S#_#!C
j<Cf>%;
vtL>T1%abWwu
/=+Hs;\.>$
Y^0k48|*
VVhU.12(
rbRlXq
i?18Q.$
L<.YCwP
5*o lRB$e
t7;t57
^^DVQpzA)qT
';_t|%
V(n1ci
8lh1'q
<0} U_!xV
lLY/7N2
Z2-(FS
'=aOV"x|?[ev
o?qCNw
;QqOHpDc
djR'L&Bv
/?_U[mP?
X\<`dhlpx<<<
y ,4@LPyT`t
 4<D<LT\dlyt|^<y
0DyLTh~
 v{giv_
_j2r1~#
??cU1<
/!5ACPgRvn/S
WYl/ymV p
?\pr)
XzxrTyp.-eW
1YkiiFile
<-{{+B
S;P[:;of
]Yv&dNexAW5Fm
xpaREnvinmeAfvC*sonm
roVaabg;[F[
dH6l}o
ModCP
mmfK;{VLIsw;[<
I^kedkKk
cFm+De
FliiwF10I{h
E+7Addr/
M<tiBy oWivCha>"xq-
XuZ`tER`
ZYUn}9,
|V+1Unh
S9+*km$T.m-""P
,ASveV
CCUagA`
NbugNrG
Rtl`wi
g1Key9+S
tnRJX9/o_:W=Acqu
N+/tWI{
8afQq6
Wwspdtf
,&1/$-7(
,!*2vw
\K.reJf!;-N"Bw
XPTPSWXaD$j
ADVAPI32.dll
KERNEL32.DLL
ntdll.dll
USER32.dll
RegCloseKey
ExitProcess
GetProcAddress
LoadLibraryA
VirtualProtect
NtClose
wsprintfW
u+"06J~!=k>
G~Z}c
7j M4_$
x.^8lF

Process Tree

0b4d6ec4bfbc48e2616bfbe592ca9769a0f03d6f43d41cabdbab5e97129ae541.exe (1064) "C:\Users\Administrator\AppData\Local\Temp\0b4d6ec4bfbc48e2616bfbe592ca9769a0f03d6f43d41cabdbab5e97129ae541.exe"
- CTS.exe (2112) "C:\Windows\CTS.exe"

0b4d6ec4bfbc48e2616bfbe592ca9769a0f03d6f43d41cabdbab5e97129ae541.exe, PID: 1064, Parent PID: 2284

default registry file network process services synchronisation iexplore office pdf

CTS.exe, PID: 2112, Parent PID: 1064

default registry file network process services synchronisation iexplore office pdf

Hosts

IP
114.114.114.114

DNS

Name	Response	Post-Analysis Lookup
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53179	224.0.0.252	5355
192.168.56.101	49642	224.0.0.252	5355
192.168.56.101	137	192.168.56.255	137
192.168.56.101	61714	114.114.114.114	53
192.168.56.101	56933	114.114.114.114	53
192.168.56.101	138	192.168.56.255	138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name	ecbc493384931d25_microsoft_visual_c++2010_x86_redistributable_vcredist_x86.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2010_x86_Redistributable_vcredist_x86.exe
Size	4.9MB
Processes	2112 (CTS.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`fec79ef8ddb93b251425468052d0c345`
SHA1	`2683b20defecdaf185f0863454d30d6b6311bf46`
SHA256	`ecbc493384931d25e08839eddc84dbec5cf9aa00194e8ed553023fdf523e010d`
CRC32	`EFB5A42D`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	1955407b2fd523e3_cts.exe
Filepath	C:\Windows\CTS.exe
Size	26.0KB
Processes	1064 (0b4d6ec4bfbc48e2616bfbe592ca9769a0f03d6f43d41cabdbab5e97129ae541.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`286211b8e0aad0533c45d8b8c351cc70`
SHA1	`cb54a305a566c00742fb972c4ee62266e880ea78`
SHA256	`1955407b2fd523e375303d560b987216b95105b421a8471218c0b65ceba847f3`
CRC32	`3904B6DD`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	6b40228273b1f0aa_dxsetup.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\drvmgr\DXSETUP.exe
Size	550.9KB
Processes	2112 (CTS.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`4a8461b2fb1d76498eb1add0edd8b264`
SHA1	`260a5e997194ed44b4e12af17d30cf81d09da06d`
SHA256	`6b40228273b1f0aae43f149fe63dc7df51197f99974c4fb67af7fdc0a05bdea9`
CRC32	`F2171B0F`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	ee7fd3c07a5822b8_gz50fvw2x0c4c6h.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\gz50Fvw2X0c4C6H.exe
Size	26.3KB
Processes	1064 (0b4d6ec4bfbc48e2616bfbe592ca9769a0f03d6f43d41cabdbab5e97129ae541.exe) 2112 (CTS.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`11ca4aead30cb7efb23a1add1d86104b`
SHA1	`d7c9fb5a4f1c49df8f49f82b3e7fdd8fb3d223c7`
SHA256	`ee7fd3c07a5822b81be42f7f53c331dcfffb87b13cf9596c417a8713e3834530`
CRC32	`BBD0AE2F`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	f19c7411a4fa650c_microsoft_visual_c++2008_redistributable_vcredist_x64.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2008_Redistributable_vcredist_x64.exe
Size	2.2MB
Processes	2112 (CTS.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`457bb2c9fc9def70fae72438b97f54e9`
SHA1	`be5b56d0c411fbdba87cf61e57eb3747de0d62bb`
SHA256	`f19c7411a4fa650c004014aaf2b266376347944ead4ecb1707f5a271ca1941d8`
CRC32	`DFC78414`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	131c71fac5a64bba_cpuz_x64.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\cpuz_x64.exe
Size	4.1MB
Processes	2112 (CTS.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`4d1c6abc2d394664f3f85874fade982d`
SHA1	`920907e819565004e800a8341dfb7d94309f166e`
SHA256	`131c71fac5a64bba669a4996cf8ebfec2e5558b754943497189d4948a2fd45b7`
CRC32	`9C34DE3D`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	150c87e64629af66_rootsupd.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\{5612CBE7-9CDF-4014-9454-1A3AE75C0CEE}.tmp\rootsupd.exe
Size	474.3KB
Processes	2112 (CTS.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`bd4b5a5120fa9e858b0b5a45507bcaf3`
SHA1	`103af01e25f6b32344defe2a500b67a77d72d056`
SHA256	`150c87e64629af665c7a4f0fced4dc2c949c75f915a727be3bb274982810f50d`
CRC32	`E812DD1B`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	cf7eb1883a275ad9_microsoft_visual_c++2012_x64_vcredist_x64.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2012_x64_vcredist_x64.exe
Size	6.9MB
Processes	2112 (CTS.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`d9967412cbd994e08332ad664fb70f26`
SHA1	`f06ac9d571b347f8f1d5af1479f1e8f78364daf1`
SHA256	`cf7eb1883a275ad9e43afde13288d6ea6034fd201ecaba4523dd53a11972ce1a`
CRC32	`FAF7F68F`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	c1aba060dce066d1_5d895343d099053ee9ebbad5d42826b3d5a45e8fa32f48cf6b1cae1fc08cbd4a.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\5d895343d099053ee9ebbad5d42826b3d5a45e8fa32f48cf6b1cae1fc08cbd4a.exe
Size	40.6KB
Processes	2112 (CTS.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`e32ff0ff587d8995a2f8f5bb6d2de5f3`
SHA1	`364ab4997fed51d311489bf152b00b9402b5ffe1`
SHA256	`c1aba060dce066d1c157b3c08e9e62c08cb7e3b26d1a9319da8c663f7a086511`
CRC32	`2B1ED3F8`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	25dd3c64f8041459_microsoft_visual_c++2010_x64_redistributable_vcredist_x64.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2010_x64_Redistributable_vcredist_x64.exe
Size	5.5MB
Processes	2112 (CTS.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`c166183b1c49f2097fd3b4ff59b199fd`
SHA1	`f76a73a883dee65c398df04337a0d5f47a14a18e`
SHA256	`25dd3c64f8041459a1b571d81f69c3ec3f53b94697e172fb8a5d4812c1b206cd`
CRC32	`727BEEFE`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	d200095665f42ad8_directx_jun2010_redist.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\drvmgr\directx_jun2010_redist.exe
Size	50.0MB
Processes	2112 (CTS.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`bbd41caec5d348341cd9e7f98a61ccaa`
SHA1	`f4b3735c07ac054f759f5bfbb1579c60bf25bc40`
SHA256	`5c7f32d780580cb496dd752dc9e17bd68d12ebfd87a742b3699cb5f60bb67edc`
CRC32	`EE23F3EA`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	70464d12b203bcb6_demd8fd.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\DEMD8FD.exe
Size	40.7KB
Processes	2112 (CTS.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`5ba254dd088d7280befd85904971cf20`
SHA1	`ef57c585b537eea1138232baa0763e96ea465825`
SHA256	`70464d12b203bcb6f013cde0ebc84118eb442b743600104e50f7806d62af1ebc`
CRC32	`93C34AFB`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	4c07025ea0ef23c7_dem831d.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\DEM831D.exe
Size	40.7KB
Processes	2112 (CTS.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`608eb6a73ffb5a69bd091e448dd825d8`
SHA1	`f8535106b9f8f7732f619fd03bf16ce090c6b64d`
SHA256	`4c07025ea0ef23c79362531b3326e4713fcfdf31d1c30bcca8ed0f6b5ca8a9bd`
CRC32	`965215E0`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	21dcbdbec6285272_firefox%20installer[1].exe
Filepath	C:\Users\Administrator\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OMOXBAGH\Firefox%20Installer[1].exe
Size	389.4KB
Processes	2112 (CTS.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`91783ab26641c242ce46e1a759e8a1a9`
SHA1	`ddef5ec25d418a23fddff1bcf6c7f293ec327df0`
SHA256	`21dcbdbec6285272feab812867ab9d7500cc37d4622c2e86c7808c8a7c68df24`
CRC32	`DF23C7A4`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	0659ac28d8c976b3_guanwang__360drvmgrinstaller_beta.exe
Filepath	C:\Users\Administrator\Downloads\guanwang__360DrvMgrInstaller_beta.exe
Size	19.5MB
Processes	2112 (CTS.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`9044a61fce323c33b43eec9708bfcaca`
SHA1	`e65ff3b81992dd80da07ebcd101a326a0a7ba556`
SHA256	`0659ac28d8c976b3bbb3709ac8e933243915645b161c3992d279a3cd7bc67187`
CRC32	`2A71619B`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	be78824c49dd8d32_dem2b29.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\DEM2B29.exe
Size	40.7KB
Processes	2112 (CTS.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`62deef1b3c8cba76654cd83b702ea618`
SHA1	`36f105b65f86f5f2ace7dc6b8b81b7af0fc9bafc`
SHA256	`be78824c49dd8d32e9f8cc7556b666e02807346a5c55e3e4db0fe4bdcd491589`
CRC32	`3F23DC8E`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	e56ec1da38f52d9c_microsoft_visual_c++2012_x86_vcredist_x86.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2012_x86_vcredist_x86.exe
Size	6.3MB
Processes	2112 (CTS.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`24d2bf642e54b4f8be3c5c8ed095c070`
SHA1	`d9d1f7d23bd5e3d152b42f950f1a1f5392df888c`
SHA256	`e56ec1da38f52d9c139ba5302b0f171a2b1c74281e2c357133ff92b351d6c744`
CRC32	`41591BEC`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Name	9fec209c6c5a985b_microsoft_visual_c++2008_redistributable_vcredist_x86.exe
Filepath	C:\Users\Administrator\AppData\Local\Temp\drvmgr\Microsoft_Visual_C++2008_Redistributable_vcredist_x86.exe
Size	1.7MB
Processes	2112 (CTS.exe)
Type	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5	`a60a031cac74824bcb5cf67c2f9bc774`
SHA1	`0ffb81ab4d89db49a76398b9d460fa8182b12ac5`
SHA256	`9fec209c6c5a985bd2c7b7963e176b8e18a051981bf1b99ddbc7876921a5bb70`
CRC32	`75141B1B`
ssdeep	`None`
Yara	None matched
VirusTotal	Search for analysis

Sorry! No dropped buffers.