14.2
0-day
2 个模型检测该样本为恶意!
重新分析
更多

944141141cb5fd194056b8e1cb38a435f34e84e542da47f7959048abafecf7bf

c96a5866de8e8d98d2368e64ce7d8a23.exe

分析耗时

159s

最近分析

文件大小

8.7MB
静态报毒 动态报毒 CLOUD XIAZAI
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20210408 6.0.6.653
Alibaba 20190527 0.3.0.5
Avast 20210408 21.1.5827.0
Tencent 20210408 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20210408 2017.9.26.565
CrowdStrike 20210203 1.0
静态指标
Queries for the computername (8 个事件)
Time & API Arguments Status Return Repeated
1619906586.577875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619906586.577875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619906592.655875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619906592.655875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619906592.874875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619906592.874875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619921822.581626
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619921824.820983
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (15 个事件)
Time & API Arguments Status Return Repeated
1619921838.721594
IsDebuggerPresent
failed 0 0
1619921840.676695
IsDebuggerPresent
failed 0 0
1619921848.10607
IsDebuggerPresent
failed 0 0
1619921848.12207
IsDebuggerPresent
failed 0 0
1619921858.45007
IsDebuggerPresent
failed 0 0
1619921858.60607
IsDebuggerPresent
failed 0 0
1619921858.74707
IsDebuggerPresent
failed 0 0
1619921858.77807
IsDebuggerPresent
failed 0 0
1619921858.80907
IsDebuggerPresent
failed 0 0
1619921858.87207
IsDebuggerPresent
failed 0 0
1619921858.88707
IsDebuggerPresent
failed 0 0
1619921858.91807
IsDebuggerPresent
failed 0 0
1619921841.710586
IsDebuggerPresent
failed 0 0
1619921841.710586
IsDebuggerPresent
failed 0 0
1619921841.756586
IsDebuggerPresent
failed 0 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
This executable is signed
Tries to locate where the browsers are installed (1 个事件)
file C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.dll
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619906584.687875
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .ndata
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:3247248212&cup2hreq=05d3c12d7582f1d42a2698fb8604acea9c96cd521c5861d30e3133bc0c4bf935
Performs some HTTP requests (5 个事件)
request GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619892741&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=fa0d993d145765a2&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619892741&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:3247248212&cup2hreq=05d3c12d7582f1d42a2698fb8604acea9c96cd521c5861d30e3133bc0c4bf935
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:3247248212&cup2hreq=05d3c12d7582f1d42a2698fb8604acea9c96cd521c5861d30e3133bc0c4bf935
Allocates read-write-execute memory (usually to unpack itself) (15 个事件)
Time & API Arguments Status Return Repeated
1619906593.530875
NtAllocateVirtualMemory
process_identifier: 1396
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04010000
success 0 0
1619921804.769374
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000007120000
success 0 0
1619921840.629695
NtProtectVirtualMemory
process_identifier: 3872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74011000
success 0 0
1619921840.629695
NtProtectVirtualMemory
process_identifier: 3872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75d61000
success 0 0
1619921840.629695
NtProtectVirtualMemory
process_identifier: 3872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x71dc1000
success 0 0
1619921840.629695
NtProtectVirtualMemory
process_identifier: 3872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73fd1000
success 0 0
1619921840.676695
NtProtectVirtualMemory
process_identifier: 3872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75380000
success 0 0
1619921840.676695
NtProtectVirtualMemory
process_identifier: 3872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74561000
success 0 0
1619921840.692695
NtProtectVirtualMemory
process_identifier: 3872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x71cc1000
success 0 0
1619921840.973695
NtProtectVirtualMemory
process_identifier: 3872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77711000
success 0 0
1619921840.973695
NtProtectVirtualMemory
process_identifier: 3872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76241000
success 0 0
1619921840.973695
NtProtectVirtualMemory
process_identifier: 3872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76121000
success 0 0
1619921841.036695
NtProtectVirtualMemory
process_identifier: 3872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a11000
success 0 0
1619921841.036695
NtProtectVirtualMemory
process_identifier: 3872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x766c1000
success 0 0
1619921841.036695
NtProtectVirtualMemory
process_identifier: 3872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77691000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
A process attempted to delay the analysis task. (1 个事件)
description lantern.exe tried to sleep 120 seconds, actually delayed analysis time by 120 seconds
Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 个事件)
Time & API Arguments Status Return Repeated
1619921808.925374
GetDiskFreeSpaceExW
root_path: C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Explorer
free_bytes_available: 19443662848
total_number_of_free_bytes: 0
total_number_of_bytes: 0
success 1 0
Steals private information from local Internet browsers (15 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\First Run
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF1de6915.TMP
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-608E151E-F6C.pma
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
Creates executable files on the filesystem (9 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Lantern\lantern.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsrC0FA.tmp\ShellExecAsUser.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lantern\Lantern.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Lantern\uninstall.exe
file C:\Users\Administrator.Oskar-PC\Desktop\Lantern.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\notifu-notifier942849959\notifu.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\byteexec\sysproxy-cmd.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\byteexec\certimporter.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lantern\Uninstall Lantern.lnk
Creates hidden or system file (1 个事件)
Time & API Arguments Status Return Repeated
1619921885.555983
SetFileAttributesW
file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN)
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Lantern\.lantern.exe.old
filepath: C:\Users\Administrator.Oskar-PC\AppData\Roaming\Lantern\.lantern.exe.old
success 1 0
Creates a shortcut to an executable file (3 个事件)
file C:\Users\Administrator.Oskar-PC\Desktop\Lantern.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lantern\Uninstall Lantern.lnk
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Lantern\Lantern.lnk
Creates a suspicious process (3 个事件)
cmdline C:\Users\Administrator.Oskar-PC\AppData\Roaming\byteexec\sysproxy-cmd.exe show
cmdline C:\Users\Administrator.Oskar-PC\AppData\Roaming\byteexec\sysproxy-cmd.exe wait-and-cleanup 127.0.0.1 49256
cmdline C:\Users\Administrator.Oskar-PC\AppData\Roaming\byteexec\sysproxy-cmd.exe on 127.0.0.1 49256
Drops a binary and executes it (3 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Lantern\lantern.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\byteexec\sysproxy-cmd.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\notifu-notifier942849959\notifu.exe
Drops an executable to the user AppData folder (6 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Lantern\.lantern.exe.old
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\notifu-notifier942849959\notifu.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Lantern\lantern.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\nsrC0FA.tmp\ShellExecAsUser.dll
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Lantern\uninstall.exe
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\byteexec\certimporter.exe
File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 个事件)
Paloalto generic.ml
Rising Malware.Xiazai!8.E938 (CLOUD)
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619921824.534626
GetAdaptersAddresses
flags: 16
family: 0
success 0 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619921824.206626
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619921827.789983
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Queries for potentially installed applications (1 个事件)
Time & API Arguments Status Return Repeated
1619906585.577875
RegOpenKeyExA
access: 0x00020019
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Lantern
regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\Lantern
options: 0
failed 2 0
网络通信
Communicates with host for which no DNS query was performed (50 out of 243 个事件)
host 104.118.6.138
host 104.80.88.54
host 104.84.152.152
host 128.199.185.96
host 13.32.0.197
host 13.32.0.198
host 13.32.0.207
host 13.32.0.212
host 13.32.0.220
host 13.32.0.248
host 13.32.0.40
host 13.32.0.46
host 13.32.0.77
host 13.32.0.92
host 13.32.1.145
host 13.32.4.14
host 13.35.0.102
host 13.35.0.146
host 13.35.0.156
host 13.35.0.17
host 13.35.0.181
host 13.35.0.182
host 13.35.0.190
host 13.35.0.217
host 13.35.0.7
host 13.35.0.74
host 13.35.0.96
host 13.35.0.97
host 13.35.1.179
host 13.35.1.181
host 13.35.1.39
host 13.35.1.44
host 13.35.1.78
host 13.35.3.92
host 142.93.214.120
host 143.204.0.9
host 149.28.77.28
host 159.203.109.157
host 172.217.24.14
host 184.51.1.45
host 184.51.1.56
host 188.166.162.21
host 188.166.85.34
host 2.16.173.96
host 2.18.212.13
host 2.19.194.151
host 2.19.98.41
host 2.20.255.100
host 20.194.106.28
host 204.246.169.114
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1619921821.065626
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
Installs itself for autorun at Windows startup (3 个事件)
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Lantern reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Lantern\lantern.exe" -clear-proxy-settings
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Lantern reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Lantern\lantern.exe" -startup
reg_key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Lantern reg_value "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Lantern\lantern.exe" -startup
One or more non-safelisted processes were created (1 个事件)
parent_process chrome.exe martian_process "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2064f50,0x7fef2064f60,0x7fef2064f70
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2015-12-27 13:38:55

Imports

Library KERNEL32.dll:
0x407064 SetFileAttributesA
0x407068 GetShortPathNameA
0x40706c GetFullPathNameA
0x407070 MoveFileA
0x407078 GetFileAttributesA
0x40707c GetLastError
0x407080 CompareFileTime
0x407084 SearchPathA
0x407088 Sleep
0x40708c GetTickCount
0x407090 GetFileSize
0x407094 GetModuleFileNameA
0x407098 GetCurrentProcess
0x40709c CopyFileA
0x4070a0 ExitProcess
0x4070a4 CreateDirectoryA
0x4070a8 lstrcmpiA
0x4070ac GetCommandLineA
0x4070b0 GetVersion
0x4070b4 SetErrorMode
0x4070b8 lstrcpynA
0x4070bc GetDiskFreeSpaceA
0x4070c0 GlobalUnlock
0x4070c4 GlobalLock
0x4070c8 CreateThread
0x4070cc CreateProcessA
0x4070d0 RemoveDirectoryA
0x4070d4 CreateFileA
0x4070d8 GetTempFileNameA
0x4070dc lstrlenA
0x4070e0 lstrcatA
0x4070e4 GetSystemDirectoryA
0x4070e8 LoadLibraryA
0x4070ec SetFileTime
0x4070f0 CloseHandle
0x4070f4 GlobalFree
0x4070f8 lstrcmpA
0x407100 GetExitCodeProcess
0x407104 GlobalAlloc
0x407108 WaitForSingleObject
0x407110 GetTempPathA
0x407114 GetProcAddress
0x407118 FindFirstFileA
0x40711c FindNextFileA
0x407120 DeleteFileA
0x407124 SetFilePointer
0x407128 ReadFile
0x40712c FindClose
0x407138 WriteFile
0x40713c MulDiv
0x407140 LoadLibraryExA
0x407144 GetModuleHandleA
0x407148 MultiByteToWideChar
0x40714c FreeLibrary
Library USER32.dll:
0x407170 GetWindowRect
0x407174 EnableMenuItem
0x407178 GetSystemMenu
0x40717c ScreenToClient
0x407180 SetClassLongA
0x407184 IsWindowEnabled
0x407188 SetWindowPos
0x40718c GetSysColor
0x407190 GetWindowLongA
0x407194 SetCursor
0x407198 LoadCursorA
0x40719c CheckDlgButton
0x4071a0 GetMessagePos
0x4071a4 LoadBitmapA
0x4071a8 CallWindowProcA
0x4071ac IsWindowVisible
0x4071b0 CloseClipboard
0x4071b4 SetForegroundWindow
0x4071b8 PostQuitMessage
0x4071bc RegisterClassA
0x4071c0 EndDialog
0x4071c4 AppendMenuA
0x4071c8 CreatePopupMenu
0x4071cc GetSystemMetrics
0x4071d0 SetDlgItemTextA
0x4071d4 GetDlgItemTextA
0x4071d8 MessageBoxIndirectA
0x4071dc CharPrevA
0x4071e0 DispatchMessageA
0x4071e4 PeekMessageA
0x4071e8 EnableWindow
0x4071ec InvalidateRect
0x4071f0 SendMessageA
0x4071f4 DefWindowProcA
0x4071f8 BeginPaint
0x4071fc GetClientRect
0x407200 FillRect
0x407204 DrawTextA
0x407208 EndPaint
0x407210 CreateWindowExA
0x407214 GetClassInfoA
0x407218 DialogBoxParamA
0x40721c CharNextA
0x407220 ExitWindowsEx
0x407224 DestroyWindow
0x407228 OpenClipboard
0x40722c TrackPopupMenu
0x407230 SendMessageTimeoutA
0x407234 GetDC
0x407238 LoadImageA
0x40723c GetDlgItem
0x407240 FindWindowExA
0x407244 IsWindow
0x407248 SetClipboardData
0x40724c SetWindowLongA
0x407250 EmptyClipboard
0x407254 SetTimer
0x407258 CreateDialogParamA
0x40725c wsprintfA
0x407260 ShowWindow
0x407264 SetWindowTextA
Library GDI32.dll:
0x407040 SelectObject
0x407044 SetBkMode
0x407048 CreateFontIndirectA
0x40704c SetTextColor
0x407050 DeleteObject
0x407054 GetDeviceCaps
0x407058 CreateBrushIndirect
0x40705c SetBkColor
Library SHELL32.dll:
0x40715c SHBrowseForFolderA
0x407160 SHGetFileInfoA
0x407164 ShellExecuteA
0x407168 SHFileOperationA
Library ADVAPI32.dll:
0x407000 RegDeleteValueA
0x407004 SetFileSecurityA
0x407008 RegOpenKeyExA
0x40700c RegDeleteKeyA
0x407010 RegEnumValueA
0x407014 RegCloseKey
0x407018 RegCreateKeyExA
0x40701c RegSetValueExA
0x407020 RegQueryValueExA
0x407024 RegEnumKeyA
Library COMCTL32.dll:
0x40702c ImageList_Create
0x407030 ImageList_Destroy
0x407034
0x407038 ImageList_AddMasked
Library ole32.dll:
0x40726c OleUninitialize
0x407270 OleInitialize
0x407274 CoTaskMemFree
0x407278 CoCreateInstance

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49281 104.118.6.138 443
192.168.56.101 49201 104.80.88.54 443
192.168.56.101 49523 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49526 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49229 13.32.1.145 443
192.168.56.101 49283 13.32.4.14 443
192.168.56.101 49489 13.35.0.102 443
192.168.56.101 49522 13.35.0.146 443
192.168.56.101 49453 13.35.0.156 443
192.168.56.101 49305 13.35.0.17 443
192.168.56.101 49270 13.35.0.181 443
192.168.56.101 49508 13.35.0.182 443
192.168.56.101 49449 13.35.0.190 443
192.168.56.101 49360 13.35.0.217 443
192.168.56.101 49341 13.35.0.7 443
192.168.56.101 49398 13.35.0.74 443
192.168.56.101 49345 13.35.0.96 443
192.168.56.101 49385 13.35.0.97 443
192.168.56.101 49255 13.35.1.179 443
192.168.56.101 49383 13.35.1.181 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 54260 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Host: www.download.windowsupdate.com
User-Agent: Microsoft-CryptoAPI/6.1
Accept: */*
Cache-Control: max-age = 3600
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
Proxy-Connection: Keep-Alive
X-Lantern-Version: 5.4.7
Accept-Encoding: gzip
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619892741&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619892741&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Host: www.download.windowsupdate.com
User-Agent: Microsoft-CryptoAPI/6.1
Accept: */*
Cache-Control: max-age = 3600
If-Modified-Since: Wed, 03 Mar 2021 07:30:57 GMT
Proxy-Connection: Keep-Alive
X-Lantern-Version: 5.4.7
Accept-Encoding: gzip
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=fa0d993d145765a2&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619892741&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=fa0d993d145765a2&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619892741&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.