SmartHawk

10.8

0-day

50 个模型检测该样本为恶意！

重新分析

下载样本

07338ed99cf480aedcb15117b0fa97eff209c236907fb66e7827a8a0cd05abdf

5af98af9163d50a9d2d09e3470f4d314.exe

分析耗时

150s

最近分析

文件大小

452.0KB

静态报毒动态报毒 100% AI SCORE=87 BANKERX CLASSIC CONFIDENCE CQ0@AMEYG5KO DOWNLOADER34 ELDORADO EMOTET GDMK GENCIRC GENERICKD GENETIC HFYL HIGH CONFIDENCE HUBYLX IHIOI KRYPTIK MALWARE@#2J1GEUAM073ET POSSIBLETHREAT QVM09 R + TROJ R350747 SOCELARSTAH SUSGEN TROJANBANKER UNSAFE ZEXAE 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Emotet-FSC!5AF98AF9163D	20201022	6.0.6.653
Alibaba	Trojan:Win32/Emotet.01721ef7	20190527	0.3.0.5
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0
Baidu		20190318	1.0.0.2
Avast	Win32:BankerX-gen [Trj]	20201022	18.4.3895.0
Tencent	Malware.Win32.Gencirc.10cdfdbb	20201022	1.0.0.1
Kingsoft		20201022	2013.8.14.323

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620772312.520626 GetComputerNameA	computer_name: OSKAR-PC	success	1	0

Uses Windows APIs to generate a cryptographic key (5 个事件)

Time & API	Arguments	Status	Return
1620772301.177626 CryptGenKey	crypto_handle: 0x005968e0 algorithm_identifier: 0x0000660e () provider_handle: 0x00595b20 flags: 1 key: f\|©·õüA:gè\¾H	success	1
1620772312.536626 CryptExportKey	crypto_handle: 0x005968e0 crypto_export_handle: 0x00595be8 buffer: f¤~¬)=7òÚ®ç·°·Î³º§oii,ÌbÜó®ang]Ú¥µ[èz4hZ÷nu¡[ 9ç$ËìÝýØtLm~miuf&$6ï\yJáÛx blob_type: 1 flags: 64	success	1
1620772340.723626 CryptExportKey	crypto_handle: 0x005968e0 crypto_export_handle: 0x00595be8 buffer: f¤aàµ´åy)UÀäVG¾LÂËåÌ*Æ»åÙÕéÑ5V^9iI£úÕ´jJ]l\þHÃÝuRîO""x¼\B@þ¯¬»\UloËS blob_type: 1 flags: 64	success	1
1620772345.067626 CryptExportKey	crypto_handle: 0x005968e0 crypto_export_handle: 0x00595be8 buffer: f¤'2É¤ZnóLW0ó"J»Åf4È2©¦\|m©ó\|¶{+¤ÁÒ·tGoÁt¸~Q¹ó³ÃqvU¼¢xA6¾P3»}+ôR!sÒF%§âÂL% blob_type: 1 flags: 64	success	1
1620772349.223626 CryptExportKey	crypto_handle: 0x005968e0 crypto_export_handle: 0x00595be8 buffer: f¤¥ÞÕDÛ^´Âø2 ÒïèÎ TpU²Gléô¢7}àdÊ¾ðöq³\|Ñ®w²rvGNx¤®#zÃN(Æ«¬R¸I¶´2®Ùô9P ´dI¤ blob_type: 1 flags: 64	success	1

The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)

resource name

None

Performs some HTTP requests (3 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620743071&mv=m&mvi=1&pl=23&shardbypass=yes
request	HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e03d90c6c083f88f&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620743071&mv=m&mvi=3

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1620772294.567499 NtAllocateVirtualMemory	process_identifier: 2008 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00580000	success
1620772355.755876 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00000000040d0000	success
1620772298.317626 NtAllocateVirtualMemory	process_identifier: 1816 region_size: 45056 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01ec0000	success

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (9 个事件)

Time & API	Arguments	Status	Return
1620772300.958626 Process32NextW	process_name: 5af98af9163d50a9d2d09e3470f4d314.exe snapshot_handle: 0x00000170 process_identifier: 2008	success	1
1620772300.958626 Process32NextW	process_name: schtasks.exe snapshot_handle: 0x00000170 process_identifier: 1752	success	1
1620772300.958626 Process32NextW	process_name: docprop.exe snapshot_handle: 0x00000170 process_identifier: 1816	success	1
1620772345.067626 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x000003c4 process_identifier: 3124	success	1
1620772345.067626 Process32NextW	process_name: mscorsvw.exe snapshot_handle: 0x000003c4 process_identifier: 3156	success	1
1620772349.223626 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x000003e4 process_identifier: 3228	success	1
1620772349.223626 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x000003e4 process_identifier: 3260	success	1
1620772349.223626 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x000003e4 process_identifier: 3284	success	1
1620772349.223626 Process32NextW	process_name: sppsvc.exe snapshot_handle: 0x000003e4 process_identifier: 3376	success	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620772294.567499 NtProtectVirtualMemory	process_identifier: 2008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 28672 protection: 32 (PAGE_EXECUTE_READ) process_handle: 0xffffffff base_address: 0x005b1000	success	0	0

Moves the original executable to a new location (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620772295.348499 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5af98af9163d50a9d2d09e3470f4d314.exe newfilepath: C:\Windows\SysWOW64\korwbrkr\docprop.exe newfilepath_r: C:\Windows\SysWOW64\korwbrkr\docprop.exe flags: 3 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\5af98af9163d50a9d2d09e3470f4d314.exe	success	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620772312.958626 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Expresses interest in specific running processes (1 个事件)

process

docprop.exe

Reads the systems User Agent and subsequently performs requests (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620772312.692626 InternetOpenW	proxy_bypass: access_type: 0 proxy_name: flags: 0 user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	success	13369348	0

Communicates with host for which no DNS query was performed (6 个事件)

host	142.44.137.67
host	162.241.242.173
host	172.217.24.14
host	192.158.216.73
host	85.214.28.226
host	203.208.40.34

Installs itself for autorun at Windows startup (1 个事件)

service_name

docprop

service_path

C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\korwbrkr\docprop.exe"

Created a service where a service was also not started (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620772296.442499 CreateServiceW	service_start_name: start_type: 2 service_handle: 0x02b5dd20 display_name: docprop error_control: 0 service_name: docprop filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\korwbrkr\docprop.exe" filepath_r: "C:\Windows\SysWOW64\korwbrkr\docprop.exe" service_manager_handle: 0x02b5dcf8 desired_access: 2 service_type: 16 password:	success	45473056	0

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1620772316.255626 RegSetValueExA	key_handle: 0x000003c4 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620772316.255626 RegSetValueExA	key_handle: 0x000003c4 value: ðV]F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620772316.255626 RegSetValueExA	key_handle: 0x000003c4 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620772316.255626 RegSetValueExW	key_handle: 0x000003c4 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620772316.255626 RegSetValueExA	key_handle: 0x000003dc value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620772316.255626 RegSetValueExA	key_handle: 0x000003dc value: ðV]F× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620772316.255626 RegSetValueExA	key_handle: 0x000003dc value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1620772316.270626 RegSetValueExW	key_handle: 0x000003c0 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

Attempts to remove evidence of file being downloaded from the Internet (1 个事件)

file	C:\Windows\SysWOW64\korwbrkr\docprop.exe:Zone.Identifier

Generates some ICMP traffic

File has been identified by 50 AntiVirus engines on VirusTotal as malicious (50 个事件)

Bkav	W32.SocelarsTAH.Trojan
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.43931446
FireEye	Generic.mg.5af98af9163d50a9
McAfee	Emotet-FSC!5AF98AF9163D
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 0056dc3b1 )
Alibaba	Trojan:Win32/Emotet.01721ef7
K7GW	Trojan ( 0056dc3b1 )
CrowdStrike	win/malicious_confidence_100% (W)
Arcabit	Trojan.Generic.D29E5736
Cyren	W32/Kryptik.BWK.gen!Eldorado
Symantec	Packed.Generic.554
APEX	Malicious
Avast	Win32:BankerX-gen [Trj]
ClamAV	Win.Packed.Emotet-9753169-0
Kaspersky	Trojan-Banker.Win32.Emotet.gdmk
BitDefender	Trojan.GenericKD.43931446
NANO-Antivirus	Trojan.Win32.Emotet.hubylx
Paloalto	generic.ml
AegisLab	Trojan.Win32.Emotet.L!c
Tencent	Malware.Win32.Gencirc.10cdfdbb
Ad-Aware	Trojan.GenericKD.43931446
Comodo	Malware@#2j1geuam073et
DrWeb	Trojan.DownLoader34.32516
VIPRE	Trojan.Win32.Generic!BT
Invincea	Mal/Generic-R + Troj/Emotet-CNA
McAfee-GW-Edition	BehavesLike.Win32.Emotet.gh
Sophos	Troj/Emotet-CNA
Jiangmin	Trojan.Banker.Emotet.ohu
Webroot	W32.Trojan.Gen
Avira	TR/Crypt.Agent.ihioi
MAX	malware (ai score=87)
Microsoft	Trojan:Win32/Emotet.ARJ!MTB
ZoneAlarm	Trojan-Banker.Win32.Emotet.gdmk
GData	Trojan.GenericKD.43931446
AhnLab-V3	Trojan/Win32.Emotet.R350747
BitDefenderTheta	Gen:NN.ZexaE.34570.Cq0@amEyG5kO
ALYac	Trojan.Agent.Emotet
TACHYON	Banker/W32.Emotet.462848.F
VBA32	TrojanBanker.Emotet
ESET-NOD32	a variant of Win32/Kryptik.HFYL
Rising	Trojan.Emotet!1.CBDE (CLASSIC)
Ikarus	Trojan-Banker.Emotet
MaxSecure	Trojan.Malware.106378977.susgen
Fortinet	PossibleThreat.MU
AVG	Win32:BankerX-gen [Trj]
Panda	Trj/Genetic.gen
Qihoo-360	Generic/HEUR/QVM09.0.C4FB.Malware.Gen

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (7 个事件)

dead_host	172.217.160.110:443
dead_host	172.217.24.14:443
dead_host	162.241.242.173:8080
dead_host	192.158.216.73:80
dead_host	192.168.56.101:49187
dead_host	85.214.28.226:8080
dead_host	172.217.160.78:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-09-04 16:54:57

Imports

Library KERNEL32.dll:

• 0x43e0ac GetFileAttributesA

• 0x43e0b0 GetFileTime

• 0x43e0b4 SetErrorMode

• 0x43e0b8 GetTickCount

• 0x43e0bc RtlUnwind

• 0x43e0c0 HeapAlloc

• 0x43e0c4 TerminateProcess

• 0x43e0c8 UnhandledExceptionFilter

• 0x43e0cc SetUnhandledExceptionFilter

• 0x43e0d0 IsDebuggerPresent

• 0x43e0d4 HeapFree

• 0x43e0d8 HeapReAlloc

• 0x43e0dc VirtualProtect

• 0x43e0e0 VirtualAlloc

• 0x43e0e4 GetSystemInfo

• 0x43e0e8 VirtualQuery

• 0x43e0ec GetSystemTimeAsFileTime

• 0x43e0f0 RaiseException

• 0x43e0f4 GetCommandLineA

• 0x43e0f8 GetProcessHeap

• 0x43e0fc GetStartupInfoA

• 0x43e100 ExitProcess

• 0x43e104 HeapSize

• 0x43e108 SetStdHandle

• 0x43e10c GetFileType

• 0x43e110 Sleep

• 0x43e114 GetACP

• 0x43e118 LCMapStringW

• 0x43e11c VirtualFree

• 0x43e120 HeapDestroy

• 0x43e124 HeapCreate

• 0x43e128 GetStdHandle

• 0x43e12c GetStringTypeA

• 0x43e130 GetStringTypeW

• 0x43e134 GetTimeZoneInformation

• 0x43e138 FreeEnvironmentStringsA

• 0x43e13c GetEnvironmentStrings

• 0x43e140 FreeEnvironmentStringsW

• 0x43e144 GetEnvironmentStringsW

• 0x43e148 SetHandleCount

• 0x43e14c QueryPerformanceCounter

• 0x43e150 GetConsoleCP

• 0x43e154 GetConsoleMode

• 0x43e158 WriteConsoleA

• 0x43e15c GetConsoleOutputCP

• 0x43e160 WriteConsoleW

• 0x43e164 SetEnvironmentVariableA

• 0x43e168 GetOEMCP

• 0x43e16c GetCPInfo

• 0x43e170 CreateFileA

• 0x43e174 GetFullPathNameA

• 0x43e178 GetVolumeInformationA

• 0x43e17c FindFirstFileA

• 0x43e180 FindClose

• 0x43e184 GetCurrentProcess

• 0x43e188 DuplicateHandle

• 0x43e18c GetThreadLocale

• 0x43e190 SetEndOfFile

• 0x43e194 UnlockFile

• 0x43e198 LockFile

• 0x43e19c FlushFileBuffers

• 0x43e1a0 SetFilePointer

• 0x43e1a4 WriteFile

• 0x43e1a8 ReadFile

• 0x43e1ac InterlockedIncrement

• 0x43e1b0 TlsFree

• 0x43e1b4 LocalReAlloc

• 0x43e1b8 TlsSetValue

• 0x43e1bc TlsAlloc

• 0x43e1c0 GlobalHandle

• 0x43e1c4 GlobalReAlloc

• 0x43e1c8 TlsGetValue

• 0x43e1cc GlobalFlags

• 0x43e1d0 LocalAlloc

• 0x43e1d4 LeaveCriticalSection

• 0x43e1d8 EnterCriticalSection

• 0x43e1dc DeleteCriticalSection

• 0x43e1e0 InitializeCriticalSection

• 0x43e1e4 FileTimeToLocalFileTime

• 0x43e1e8 FileTimeToSystemTime

• 0x43e1ec InterlockedDecrement

• 0x43e1f0 GetModuleFileNameW

• 0x43e1f4 GlobalGetAtomNameA

• 0x43e1f8 GlobalFindAtomA

• 0x43e1fc lstrcmpW

• 0x43e200 GetVersionExA

• 0x43e204 FormatMessageA

• 0x43e208 LocalFree

• 0x43e20c MulDiv

• 0x43e210 WritePrivateProfileStringA

• 0x43e214 GlobalUnlock

• 0x43e218 GlobalFree

• 0x43e21c FreeResource

• 0x43e220 GetCurrentProcessId

• 0x43e224 SetLastError

• 0x43e228 GlobalAddAtomA

• 0x43e22c WaitForSingleObject

• 0x43e230 GetCurrentThread

• 0x43e234 GetCurrentThreadId

• 0x43e238 ConvertDefaultLocale

• 0x43e23c GetModuleFileNameA

• 0x43e240 EnumResourceLanguagesA

• 0x43e244 GetLocaleInfoA

• 0x43e248 LoadLibraryA

• 0x43e24c GlobalLock

• 0x43e250 lstrcmpA

• 0x43e254 GlobalAlloc

• 0x43e258 FreeLibrary

• 0x43e25c GlobalDeleteAtom

• 0x43e260 GetModuleHandleA

• 0x43e264 GetFileSize

• 0x43e268 CloseHandle

• 0x43e26c lstrlenA

• 0x43e270 CompareStringW

• 0x43e274 CompareStringA

• 0x43e278 GetVersion

• 0x43e27c GetLastError

• 0x43e280 MultiByteToWideChar

• 0x43e284 InterlockedExchange

• 0x43e288 WideCharToMultiByte

• 0x43e28c GetProcAddress

• 0x43e290 FindResourceA

• 0x43e294 LoadResource

• 0x43e298 LockResource

• 0x43e29c LCMapStringA

• 0x43e2a0 SizeofResource

Library USER32.dll:

• 0x43e2f8 InvalidateRect

• 0x43e2fc InvalidateRgn

• 0x43e300 GetNextDlgGroupItem

• 0x43e304 MessageBeep

• 0x43e308 UnregisterClassA

• 0x43e30c RegisterClipboardFormatA

• 0x43e310 PostThreadMessageA

• 0x43e314 EndPaint

• 0x43e318 BeginPaint

• 0x43e31c GetWindowDC

• 0x43e320 ClientToScreen

• 0x43e324 GrayStringA

• 0x43e328 DrawTextExA

• 0x43e32c DrawTextA

• 0x43e330 TabbedTextOutA

• 0x43e334 DestroyMenu

• 0x43e338 ShowWindow

• 0x43e33c MoveWindow

• 0x43e340 SetWindowTextA

• 0x43e344 IsDialogMessageA

• 0x43e348 SetDlgItemTextA

• 0x43e34c RegisterWindowMessageA

• 0x43e350 SendDlgItemMessageA

• 0x43e354 WinHelpA

• 0x43e358 IsChild

• 0x43e35c GetCapture

• 0x43e360 GetClassLongA

• 0x43e364 GetClassNameA

• 0x43e368 SetPropA

• 0x43e36c GetPropA

• 0x43e370 RemovePropA

• 0x43e374 SetFocus

• 0x43e378 GetWindowTextLengthA

• 0x43e37c GetWindowTextA

• 0x43e380 GetForegroundWindow

• 0x43e384 GetTopWindow

• 0x43e388 SetRect

• 0x43e38c GetMessageTime

• 0x43e390 GetMessagePos

• 0x43e394 MapWindowPoints

• 0x43e398 SetForegroundWindow

• 0x43e39c UpdateWindow

• 0x43e3a0 GetMenu

• 0x43e3a4 CreateWindowExA

• 0x43e3a8 GetClassInfoExA

• 0x43e3ac GetClassInfoA

• 0x43e3b0 GetSysColor

• 0x43e3b4 AdjustWindowRectEx

• 0x43e3b8 EqualRect

• 0x43e3bc PtInRect

• 0x43e3c0 GetDlgCtrlID

• 0x43e3c4 DefWindowProcA

• 0x43e3c8 CallWindowProcA

• 0x43e3cc SetWindowLongA

• 0x43e3d0 OffsetRect

• 0x43e3d4 IntersectRect

• 0x43e3d8 SystemParametersInfoA

• 0x43e3dc GetWindowPlacement

• 0x43e3e0 GetWindowRect

• 0x43e3e4 GetMenuItemID

• 0x43e3e8 GetMenuItemCount

• 0x43e3ec GetSubMenu

• 0x43e3f0 GetWindow

• 0x43e3f4 SetWindowContextHelpId

• 0x43e3f8 MapDialogRect

• 0x43e3fc SetWindowPos

• 0x43e400 ReleaseDC

• 0x43e404 GetDC

• 0x43e408 CopyRect

• 0x43e40c GetDesktopWindow

• 0x43e410 SetActiveWindow

• 0x43e414 CreateDialogIndirectParamA

• 0x43e418 DestroyWindow

• 0x43e41c GetDlgItem

• 0x43e420 GetNextDlgTabItem

• 0x43e424 EndDialog

• 0x43e428 GetWindowThreadProcessId

• 0x43e42c GetWindowLongA

• 0x43e430 GetLastActivePopup

• 0x43e434 IsWindowEnabled

• 0x43e438 MessageBoxA

• 0x43e43c SetCursor

• 0x43e440 SetWindowsHookExA

• 0x43e444 CallNextHookEx

• 0x43e448 GetMessageA

• 0x43e44c IsRectEmpty

• 0x43e450 CopyAcceleratorTableA

• 0x43e454 CharNextA

• 0x43e458 GetSysColorBrush

• 0x43e45c ReleaseCapture

• 0x43e460 LoadCursorA

• 0x43e464 UnhookWindowsHookEx

• 0x43e468 SetCapture

• 0x43e46c TranslateMessage

• 0x43e470 DispatchMessageA

• 0x43e474 GetActiveWindow

• 0x43e478 IsWindowVisible

• 0x43e47c GetKeyState

• 0x43e480 PeekMessageA

• 0x43e484 GetCursorPos

• 0x43e488 ValidateRect

• 0x43e48c SetMenuItemBitmaps

• 0x43e490 GetMenuCheckMarkDimensions

• 0x43e494 LoadBitmapA

• 0x43e498 GetFocus

• 0x43e49c GetParent

• 0x43e4a0 ModifyMenuA

• 0x43e4a4 GetMenuState

• 0x43e4a8 EnableMenuItem

• 0x43e4ac CheckMenuItem

• 0x43e4b0 PostMessageA

• 0x43e4b4 PostQuitMessage

• 0x43e4b8 IsWindow

• 0x43e4bc RedrawWindow

• 0x43e4c0 CharUpperA

• 0x43e4c4 GetSystemMetrics

• 0x43e4c8 LoadIconA

• 0x43e4cc EnableWindow

• 0x43e4d0 GetClientRect

• 0x43e4d4 IsIconic

• 0x43e4d8 GetSystemMenu

• 0x43e4dc SendMessageA

• 0x43e4e0 AppendMenuA

• 0x43e4e4 DrawIcon

• 0x43e4e8 RegisterClassA

Library GDI32.dll:

• 0x43e028 SetWindowExtEx

• 0x43e02c ScaleWindowExtEx

• 0x43e030 ExtSelectClipRgn

• 0x43e034 DeleteDC

• 0x43e038 GetStockObject

• 0x43e03c ScaleViewportExtEx

• 0x43e040 GetMapMode

• 0x43e044 GetBkColor

• 0x43e048 GetTextColor

• 0x43e04c GetRgnBox

• 0x43e050 DeleteObject

• 0x43e054 SetViewportExtEx

• 0x43e058 OffsetViewportOrgEx

• 0x43e05c SetViewportOrgEx

• 0x43e060 SelectObject

• 0x43e064 Escape

• 0x43e068 TextOutA

• 0x43e06c RectVisible

• 0x43e070 PtVisible

• 0x43e074 GetWindowExtEx

• 0x43e078 CreateBitmap

• 0x43e07c SetMapMode

• 0x43e080 RestoreDC

• 0x43e084 SaveDC

• 0x43e088 ExtTextOutA

• 0x43e08c GetObjectA

• 0x43e090 SetBkColor

• 0x43e094 SetTextColor

• 0x43e098 GetClipBox

• 0x43e09c GetDeviceCaps

• 0x43e0a0 CreateRectRgnIndirect

• 0x43e0a4 GetViewportExtEx

Library comdlg32.dll:

• 0x43e53c GetFileTitleA

Library WINSPOOL.DRV:

• 0x43e52c DocumentPropertiesA

• 0x43e530 OpenPrinterA

• 0x43e534 ClosePrinter

Library ADVAPI32.dll:

• 0x43e000 RegSetValueExA

• 0x43e004 RegCreateKeyExA

• 0x43e008 RegQueryValueA

• 0x43e00c RegOpenKeyA

• 0x43e010 RegEnumKeyA

• 0x43e014 RegDeleteKeyA

• 0x43e018 RegOpenKeyExA

• 0x43e01c RegQueryValueExA

• 0x43e020 RegCloseKey

Library SHLWAPI.dll:

• 0x43e2e0 PathFindFileNameA

• 0x43e2e4 UrlUnescapeA

• 0x43e2e8 PathStripToRootA

• 0x43e2ec PathFindExtensionA

• 0x43e2f0 PathIsUNCA

Library oledlg.dll:

• 0x43e584

Library ole32.dll:

• 0x43e544 StgOpenStorageOnILockBytes

• 0x43e548 CLSIDFromProgID

• 0x43e54c CLSIDFromString

• 0x43e550 CoTaskMemFree

• 0x43e554 CoTaskMemAlloc

• 0x43e558 CoGetClassObject

• 0x43e55c StgCreateDocfileOnILockBytes

• 0x43e560 CreateILockBytesOnHGlobal

• 0x43e564 OleUninitialize

• 0x43e568 CoFreeUnusedLibraries

• 0x43e56c OleInitialize

• 0x43e570 CoRevokeClassObject

• 0x43e574 OleIsCurrentClipboard

• 0x43e578 OleFlushClipboard

• 0x43e57c CoRegisterMessageFilter

Library OLEAUT32.dll:

• 0x43e2a8 VariantCopy

• 0x43e2ac SysAllocString

• 0x43e2b0 SafeArrayDestroy

• 0x43e2b4 OleCreateFontIndirect

• 0x43e2b8 SysAllocStringByteLen

• 0x43e2bc SysStringLen

• 0x43e2c0 VariantInit

• 0x43e2c4 VariantChangeType

• 0x43e2c8 VariantClear

• 0x43e2cc SysAllocStringLen

• 0x43e2d0 SysFreeString

• 0x43e2d4 SystemTimeToVariantTime

• 0x43e2d8 VariantTimeToSystemTime

Library WININET.dll:

• 0x43e4f0 InternetOpenUrlA

• 0x43e4f4 InternetReadFile

• 0x43e4f8 InternetWriteFile

• 0x43e4fc InternetSetFilePointer

• 0x43e500 InternetSetStatusCallback

• 0x43e504 InternetOpenA

• 0x43e508 InternetGetLastResponseInfoA

• 0x43e50c InternetCloseHandle

• 0x43e510 HttpQueryInfoA

• 0x43e514 InternetQueryDataAvailable

• 0x43e518 InternetQueryOptionA

• 0x43e51c InternetCanonicalizeUrlA

• 0x43e520 InternetCrackUrlA

• 0x43e524 InternetSetOptionExA

Exports

Ordinal	Address	Name
1	0x4013da	RC4

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
r3---sn-j5o7dn7e.gvt1.com	CNAME r3.sn-j5o7dn7e.gvt1.com A 113.108.239.196
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
r1---sn-j5o7dn7e.gvt1.com	A 113.108.239.194 CNAME r1.sn-j5o7dn7e.gvt1.com	113.108.239.194
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com A 172.217.160.78	216.58.200.78
redirector.gvt1.com	A 203.208.41.65	58.63.233.97
update.googleapis.com	A 203.208.41.66	113.108.239.162
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49195	113.108.239.194 r1---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49196	113.108.239.196 r3---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49188	142.44.137.67	443
192.168.56.101	49194	203.208.41.65 redirector.gvt1.com	80
192.168.56.101	49192	203.208.41.66 update.googleapis.com	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	53500	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	56743	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	58070	114.114.114.114	53
192.168.56.101	60088	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	60221	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50534	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51808	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	54991	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com
http://142.44.137.67:443/umS40m60T4X/gfg83eIw/	POST /umS40m60T4X/gfg83eIw/ HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------ZuWoUutSxhwsFeh User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 142.44.137.67:443 Content-Length: 4532 Connection: Keep-Alive Cache-Control: no-cache
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e03d90c6c083f88f&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620743071&mv=m&mvi=3	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e03d90c6c083f88f&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620743071&mv=m&mvi=3 HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620743071&mv=m&mvi=1&pl=23&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620743071&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.