9.2
极危
9 个模型检测该样本为恶意!
重新分析
更多

880ec72f80d8a9035457be08eaa3e1658bb754797fe34ee2061ed32fbad1f18d

c6af0612847f0ab9beadac07fb2a6e7f.exe

分析耗时

120s

最近分析

文件大小

10.3MB
静态报毒 动态报毒 BANLOAD HIGH CONFIDENCE KISOFFER QVM42 SCREENSHOOTER
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
CrowdStrike 20190702 1.0
Alibaba 20190527 0.3.0.5
Avast 20200701 18.4.3895.0
Tencent 20200701 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20200701 2013.8.14.323
McAfee 20200701 6.0.6.653
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619941173.343125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619941147.780125
IsDebuggerPresent
failed 0 0
1619941173.702125
IsDebuggerPresent
failed 0 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .itext
One or more processes crashed (1 个事件)
Time & API Arguments Status Return Repeated
1619941173.577125
__exception__
stacktrace: 
c6af0612847f0ab9beadac07fb2a6e7f+0x83b61 @ 0x483b61
c6af0612847f0ab9beadac07fb2a6e7f+0x99f77 @ 0x499f77
c6af0612847f0ab9beadac07fb2a6e7f+0x9b15e @ 0x49b15e
c6af0612847f0ab9beadac07fb2a6e7f+0x9f8e5 @ 0x49f8e5
c6af0612847f0ab9beadac07fb2a6e7f+0x9f95b @ 0x49f95b
c6af0612847f0ab9beadac07fb2a6e7f+0x94d22 @ 0x494d22
c6af0612847f0ab9beadac07fb2a6e7f+0x93b3b @ 0x493b3b
c6af0612847f0ab9beadac07fb2a6e7f+0xfbdbe @ 0x4fbdbe
c6af0612847f0ab9beadac07fb2a6e7f+0xe6699 @ 0x4e6699
c6af0612847f0ab9beadac07fb2a6e7f+0xe76c8 @ 0x4e76c8
c6af0612847f0ab9beadac07fb2a6e7f+0xca5b1 @ 0x4ca5b1
c6af0612847f0ab9beadac07fb2a6e7f+0x5ce5d @ 0x45ce5d
c6af0612847f0ab9beadac07fb2a6e7f+0x60df8 @ 0x460df8
c6af0612847f0ab9beadac07fb2a6e7f+0x45d95 @ 0x445d95
c6af0612847f0ab9beadac07fb2a6e7f+0x60f48 @ 0x460f48
c6af0612847f0ab9beadac07fb2a6e7f+0x60df8 @ 0x460df8
c6af0612847f0ab9beadac07fb2a6e7f+0x73d29 @ 0x473d29
c6af0612847f0ab9beadac07fb2a6e7f+0xfcf08 @ 0x4fcf08
c6af0612847f0ab9beadac07fb2a6e7f+0x2bd8e @ 0x42bd8e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x775a965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5
GetEffectiveClientRect+0x3409 DPA_Merge-0xa5a comctl32+0xa4601 @ 0x756e4601
GetEffectiveClientRect+0x346b DPA_Merge-0x9f8 comctl32+0xa4663 @ 0x756e4663
GetEffectiveClientRect+0x32f5 DPA_Merge-0xb6e comctl32+0xa44ed @ 0x756e44ed
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x775b0d27
CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x775b0d4d
c6af0612847f0ab9beadac07fb2a6e7f+0x60ef4 @ 0x460ef4
c6af0612847f0ab9beadac07fb2a6e7f+0x60df8 @ 0x460df8
c6af0612847f0ab9beadac07fb2a6e7f+0x45d95 @ 0x445d95
c6af0612847f0ab9beadac07fb2a6e7f+0x2bd8e @ 0x42bd8e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x775a965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5
DestroyPropertySheetPage+0x69a DllGetVersion-0x1939 comctl32+0x44136 @ 0x75684136
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetClientRect+0xc5 CallWindowProcW-0xb user32+0x20d27 @ 0x775b0d27
CallWindowProcW+0x1b SetRectEmpty-0x38 user32+0x20d4d @ 0x775b0d4d
c6af0612847f0ab9beadac07fb2a6e7f+0x60ef4 @ 0x460ef4
c6af0612847f0ab9beadac07fb2a6e7f+0x60df8 @ 0x460df8
c6af0612847f0ab9beadac07fb2a6e7f+0x45d95 @ 0x445d95
c6af0612847f0ab9beadac07fb2a6e7f+0x2bd8e @ 0x42bd8e
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetThreadDesktop+0x185 GetWindowLongW-0x216 user32+0x16de8 @ 0x775a6de8
GetThreadDesktop+0x1e1 GetWindowLongW-0x1ba user32+0x16e44 @ 0x775a6e44
KiUserCallbackDispatcher+0x2e KiUserExceptionDispatcher-0x1a ntdll+0x1011a @ 0x77d4011a
PeekMessageW+0x197 MsgWaitForMultipleObjectsEx-0x143 user32+0x20751 @ 0x775b0751
c6af0612847f0ab9beadac07fb2a6e7f+0x7c321 @ 0x47c321
c6af0612847f0ab9beadac07fb2a6e7f+0x102775 @ 0x502775
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1633136
registers.edi: 59546368
registers.eax: 1633136
registers.ebp: 1633216
registers.edx: 0
registers.ebx: 2147746291
registers.esi: 61876756
registers.ecx: 7
exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xeedfade
exception.offset: 46887
exception.address: 0x778eb727
success 0 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://reqbus.ru/analytics/
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:2488826549&cup2hreq=2596f8fb08b080e64ec703e8270cac14c622d703b4520cf3f3106793cf3897bc
Performs some HTTP requests (14 个事件)
request GET http://apps.identrust.com/roots/dstrootcax3.p7c
request GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619912281&mv=u&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=97bde79dbe253940&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619912173&mv=m
request GET https://reqbus.ru/config/?branch=master&b=05c4eab&utm_source=695&utm_medium=cpi&utm_campaign=glaztv
request POST https://reqbus.ru/analytics/
request GET https://ssl.google-analytics.com/collect?v=1&t=event&tid=UA-127321766-1&cid=D8F343C1-2F3A-4C25-B98D-802BC4B2CCB1&ec=Run_05c4eab&ea=Started&el=695,cpi,glaztv
request GET https://ssl.google-analytics.com/collect?v=1&t=event&tid=UA-127321766-1&cid=D8F343C1-2F3A-4C25-B98D-802BC4B2CCB1&ec=Run_05c4eab&ea=Geo_cn&el=695,cpi,glaztv
request GET https://ssl.google-analytics.com/collect?v=1&t=event&tid=UA-127321766-1&cid=D8F343C1-2F3A-4C25-B98D-802BC4B2CCB1&ec=Offers&ea=SkipByGeo_Opera&el=695,cpi,glaztv
request GET https://ssl.google-analytics.com/collect?v=1&t=event&tid=UA-127321766-1&cid=D8F343C1-2F3A-4C25-B98D-802BC4B2CCB1&ec=Offers&ea=SkipByGeo_Opera_abs&el=695,cpi,glaztv
request GET https://ssl.google-analytics.com/collect?v=1&t=event&tid=UA-127321766-1&cid=D8F343C1-2F3A-4C25-B98D-802BC4B2CCB1&ec=Offers&ea=SkipByGeo_Yandex&el=695,cpi,glaztv
request GET https://ssl.google-analytics.com/collect?v=1&t=event&tid=UA-127321766-1&cid=D8F343C1-2F3A-4C25-B98D-802BC4B2CCB1&ec=Offers&ea=SkipByGeo_Avast&el=695,cpi,glaztv
request POST https://update.googleapis.com/service/update2?cup2key=10:2488826549&cup2hreq=2596f8fb08b080e64ec703e8270cac14c622d703b4520cf3f3106793cf3897bc
Sends data using the HTTP POST Method (2 个事件)
request POST https://reqbus.ru/analytics/
request POST https://update.googleapis.com/service/update2?cup2key=10:2488826549&cup2hreq=2596f8fb08b080e64ec703e8270cac14c622d703b4520cf3f3106793cf3897bc
Resolves a suspicious Top Level Domain (TLD) (1 个事件)
domain reqbus.ru description Russian Federation domain TLD
Allocates read-write-execute memory (usually to unpack itself) (12 个事件)
Time & API Arguments Status Return Repeated
1619941147.280125
NtProtectVirtualMemory
process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619941147.280125
NtProtectVirtualMemory
process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 69632
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1619941147.280125
NtProtectVirtualMemory
process_identifier: 2040
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 61440
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0041b000
success 0 0
1619941151.171125
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00570000
success 0 0
1619941173.436125
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x055b0000
success 0 0
1619941173.436125
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x055c0000
success 0 0
1619941175.452125
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x055d0000
success 0 0
1619941205.014499
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004090000
success 0 0
1619941173.624125
NtProtectVirtualMemory
process_identifier: 1416
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619941173.624125
NtProtectVirtualMemory
process_identifier: 1416
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 90112
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1619941173.639125
NtProtectVirtualMemory
process_identifier: 1416
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 61440
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00420000
success 0 0
1619941174.79675
NtAllocateVirtualMemory
process_identifier: 1832
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00580000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Steals private information from local Internet browsers (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-9RAJ7.tmp\Opera\Settings.ini
Creates executable files on the filesystem (3 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-9RAJ7.tmp\CallbackCtrl.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-V049N.tmp\_isetup\_shfoldr.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-9RAJ7.tmp\botva2.dll
Drops an executable to the user AppData folder (6 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-V049N.tmp\_isetup\_shfoldr.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-BD4NK.tmp\c6af0612847f0ab9beadac07fb2a6e7f.tmp
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-9RAJ7.tmp\CallbackCtrl.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-9RAJ7.tmp\botva2.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-9RAJ7.tmp\Soft\glaztv_setup.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-1HSPG.tmp\glaztv_setup.tmp
File has been identified by 9 AntiVirus engines on VirusTotal as malicious (9 个事件)
DrWeb Adware.Downware.19744
Qihoo-360 Generic/HEUR/QVM42.3.003D.Malware.Gen
ESET-NOD32 Win32/Adware.Kisoffer.A
Kaspersky not-a-virus:AdWare.Win32.ScreenShooter.gen
Endgame malicious (high confidence)
Ikarus Trojan-Downloader.Banload
AegisLab Adware.Win32.ScreenShooter.2!c
ZoneAlarm not-a-virus:AdWare.Win32.ScreenShooter.gen
Cybereason malicious.5f078c
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619941157.264125
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
Queries for potentially installed applications (6 个事件)
Time & API Arguments Status Return Repeated
1619941151.764125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Глаз.ТВ_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Глаз.ТВ_is1
options: 0
failed 2 0
1619941151.764125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Глаз.ТВ_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Глаз.ТВ_is1
options: 0
failed 2 0
1619941154.436125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Глаз.ТВ_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Глаз.ТВ_is1
options: 0
failed 2 0
1619941154.436125
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Глаз.ТВ_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Глаз.ТВ_is1
options: 0
failed 2 0
1619941175.34375
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9473D8DB-71A2-4C29-B413-B0AB02D40B9E}_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{9473D8DB-71A2-4C29-B413-B0AB02D40B9E}_is1
options: 0
failed 2 0
1619941175.34375
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{9473D8DB-71A2-4C29-B413-B0AB02D40B9E}_is1
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\{9473D8DB-71A2-4C29-B413-B0AB02D40B9E}_is1
options: 0
failed 2 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Attempts to create or modify system certificates (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob
Generates some ICMP traffic
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 172.217.27.142:443
dead_host 172.217.24.14:443
dead_host 142.250.66.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2018-06-14 21:27:46

Imports

Library oleaut32.dll:
0x419304 SysFreeString
0x419308 SysReAllocStringLen
0x41930c SysAllocStringLen
Library advapi32.dll:
0x419314 RegQueryValueExW
0x419318 RegOpenKeyExW
0x41931c RegCloseKey
Library user32.dll:
0x419324 GetKeyboardType
0x419328 LoadStringW
0x41932c MessageBoxA
0x419330 CharNextW
Library kernel32.dll:
0x419338 GetACP
0x41933c Sleep
0x419340 VirtualFree
0x419344 VirtualAlloc
0x419348 GetSystemInfo
0x41934c GetTickCount
0x419354 GetVersion
0x419358 GetCurrentThreadId
0x41935c VirtualQuery
0x419360 WideCharToMultiByte
0x419364 MultiByteToWideChar
0x419368 lstrlenW
0x41936c lstrcpynW
0x419370 LoadLibraryExW
0x419374 GetThreadLocale
0x419378 GetStartupInfoA
0x41937c GetProcAddress
0x419380 GetModuleHandleW
0x419384 GetModuleFileNameW
0x419388 GetLocaleInfoW
0x41938c GetCommandLineW
0x419390 FreeLibrary
0x419394 FindFirstFileW
0x419398 FindClose
0x41939c ExitProcess
0x4193a0 WriteFile
0x4193a8 RtlUnwind
0x4193ac RaiseException
0x4193b0 GetStdHandle
0x4193b4 CloseHandle
Library kernel32.dll:
0x4193bc TlsSetValue
0x4193c0 TlsGetValue
0x4193c4 LocalAlloc
0x4193c8 GetModuleHandleW
Library user32.dll:
0x4193d0 CreateWindowExW
0x4193d4 TranslateMessage
0x4193d8 SetWindowLongW
0x4193dc PeekMessageW
0x4193e4 MessageBoxW
0x4193e8 LoadStringW
0x4193ec GetSystemMetrics
0x4193f0 ExitWindowsEx
0x4193f4 DispatchMessageW
0x4193f8 DestroyWindow
0x4193fc CharUpperBuffW
0x419400 CallWindowProcW
Library kernel32.dll:
0x419408 WriteFile
0x41940c WideCharToMultiByte
0x419410 WaitForSingleObject
0x419414 VirtualQuery
0x419418 VirtualProtect
0x41941c VirtualFree
0x419420 VirtualAlloc
0x419424 SizeofResource
0x419428 SignalObjectAndWait
0x41942c SetLastError
0x419430 SetFilePointer
0x419434 SetEvent
0x419438 SetErrorMode
0x41943c SetEndOfFile
0x419440 ResetEvent
0x419444 RemoveDirectoryW
0x419448 ReadFile
0x41944c MultiByteToWideChar
0x419450 LockResource
0x419454 LoadResource
0x419458 LoadLibraryW
0x419460 GetVersionExW
0x419464 GetVersion
0x41946c GetThreadLocale
0x419470 GetSystemInfo
0x419474 GetSystemDirectoryW
0x419478 GetStdHandle
0x41947c GetProcAddress
0x419480 GetModuleHandleW
0x419484 GetModuleFileNameW
0x419488 GetLocaleInfoW
0x41948c GetLastError
0x419490 GetFullPathNameW
0x419494 GetFileSize
0x419498 GetFileAttributesW
0x41949c GetExitCodeProcess
0x4194a4 GetDiskFreeSpaceW
0x4194a8 GetCurrentProcess
0x4194ac GetCommandLineW
0x4194b0 GetCPInfo
0x4194b4 InterlockedExchange
0x4194bc FreeLibrary
0x4194c0 FormatMessageW
0x4194c4 FindResourceW
0x4194c8 EnumCalendarInfoW
0x4194cc DeleteFileW
0x4194d0 CreateProcessW
0x4194d4 CreateFileW
0x4194d8 CreateEventW
0x4194dc CreateDirectoryW
0x4194e0 CloseHandle
Library advapi32.dll:
0x4194e8 RegQueryValueExW
0x4194ec RegOpenKeyExW
0x4194f0 RegCloseKey
0x4194f4 OpenProcessToken
Library comctl32.dll:
0x419500 InitCommonControls
Library kernel32.dll:
0x419508 Sleep
Library advapi32.dll:

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49222 113.108.239.161 redirector.gvt1.com 80
192.168.56.101 49220 113.108.239.162 update.googleapis.com 443
192.168.56.101 49224 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49225 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49193 124.225.105.97 www.download.windowsupdate.com 80
192.168.56.101 49190 192.35.177.64 apps.identrust.com 80
192.168.56.101 49188 35.217.27.166 reqbus.ru 443
192.168.56.101 49196 58.63.233.105 ssl.google-analytics.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 54991 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 60088 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://apps.identrust.com/roots/dstrootcax3.p7c 
GET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619912281&mv=u&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619912281&mv=u&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=97bde79dbe253940&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619912173&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=97bde79dbe253940&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619912173&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.