10.6
0-day
62 个模型检测该样本为恶意!
重新分析
更多

3de8440ab1e4be53424c1ab76379b20b49b4397ada0604bb09b8212894df2f8a

66046383ab45e681344421cb3d4c7df4.exe

分析耗时

122s

最近分析

文件大小

272.0KB
静态报毒 动态报毒 AI SCORE=80 AIDETECTGBM AMTKY BANKERX BFMP BSCOPE CLASSIC CONFIDENCE ELDORADO EMOTET GENCIRC GENERICKDZ GENETIC HFXN HIGH CONFIDENCE HUBVUT HWGAU3SA KCLOUD KRYPTIK LZ4IXTGEHE0 MALWARE@#2CYE9J0V3E2A0 R + TROJ RQW@A4EDNZAI SCORE STATIC AI SUSGEN SUSPICIOUS PE THJABBO UNSAFE ZEXAE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Trojan:Win32/Emotet.0eb349a2 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20210219 21.1.5827.0
Tencent Malware.Win32.Gencirc.10cdfd63 20210219 1.0.0.1
Kingsoft Win32.Troj.Banker.(kcloud) 20210219 2017.9.26.565
McAfee Emotet-FSB!66046383AB45 20210219 6.0.6.653
CrowdStrike win/malicious_confidence_90% (W) 20210203 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619616542.210625
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (7 个事件)
Time & API Arguments Status Return Repeated
1619616531.866625
CryptGenKey
crypto_handle: 0x006aad08
algorithm_identifier: 0x0000660e ()
provider_handle: 0x006aaf18
flags: 1
key: fÝb¥õ<év£ïì™Ýa
success 1 0
1619616542.210625
CryptExportKey
crypto_handle: 0x006aad08
crypto_export_handle: 0x006aacc8
buffer: f¤¶Î¿é[R.—Ÿ¦€Tú#§·{f“zÂø°o@Ni¶¼3ó¸Ù¸íㆽà¤òÇû^¦Pùi¥^¦@jÕã)ó\Å6ôӕ42÷DÍSfলý]‡Y©Ìdµ¤
blob_type: 1
flags: 64
success 1 0
1619616572.866625
CryptExportKey
crypto_handle: 0x006aad08
crypto_export_handle: 0x006aacc8
buffer: f¤†Óró¦k·Ì_š(Þ³‚€¾ÕJß%»»2Ò«œlˑN‘~Ö³ðÜg÷ƝáÛ4¿Ý£¢ÿ”¡¥C¦Fù. Âf>Ú6ùEÊp÷–•¿ ‹zÙá'3Ääù€óòí¸8
blob_type: 1
flags: 64
success 1 0
1619616577.585625
CryptExportKey
crypto_handle: 0x006aad08
crypto_export_handle: 0x006aacc8
buffer: f¤`©|ý¢òŽn‹–õ",T+¯cÿ•Ìd`YnaGF][ž€>ä#EqF4?ùžQèN øbI~ŒDè 6 ßK»$€åÓgՙ¨m²¡„@È Ëõ?¨… Hىó^Mc*
blob_type: 1
flags: 64
success 1 0
1619616582.850625
CryptExportKey
crypto_handle: 0x006aad08
crypto_export_handle: 0x006aacc8
buffer: f¤"ón*0®ð7`gI¢…LP:ø0ô‰H¼µ¿‘Ípž»?t7”ù»`(8ÐgÉ:,òŸ Dªº<{¶ªP c*¹ùUn¿›é5([/(ðȁÕðæLï®< Ô=GN
blob_type: 1
flags: 64
success 1 0
1619616587.335625
CryptExportKey
crypto_handle: 0x006aad08
crypto_export_handle: 0x006aacc8
buffer: f¤ ¾T¤1÷¯f± $d0`JPˆõçi¯w3( V<lÝÅp.»ŸqTæF(tj-õ;0\PûŒí,ãj~ uÖϐԮ⠘V 2ÚXˀ½Õƒÿo„îT(˜,
blob_type: 1
flags: 64
success 1 0
1619616611.053625
CryptExportKey
crypto_handle: 0x006aad08
crypto_export_handle: 0x006aacc8
buffer: f¤ØÐÁ„ñŠÝ¢ÛZ°ã»fzfÿX: ܍Ù(žï†êœ‡K*;\ŠZÅaþÈ /Âø»–‘SˆÄÔô+§}¡"È+‚(<o]Žä{­Û÷ Oeq)Ôª^-k
blob_type: 1
flags: 64
success 1 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:472210215&cup2hreq=135621795e5bdf36e23b8430be7beb06883e84d5a6f8b403258e48735e4253e3
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619587698&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=bd85de0d1a781f93&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619587457&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:472210215&cup2hreq=135621795e5bdf36e23b8430be7beb06883e84d5a6f8b403258e48735e4253e3
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:472210215&cup2hreq=135621795e5bdf36e23b8430be7beb06883e84d5a6f8b403258e48735e4253e3
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619616524.882375
NtAllocateVirtualMemory
process_identifier: 2008
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003c0000
success 0 0
1619616577.72525
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004010000
success 0 0
1619616531.460625
NtAllocateVirtualMemory
process_identifier: 2952
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x003f0000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (10 个事件)
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619616527.897375
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\66046383ab45e681344421cb3d4c7df4.exe
newfilepath: C:\Windows\SysWOW64\NlsData001d\comcat.exe
newfilepath_r: C:\Windows\SysWOW64\NlsData001d\comcat.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\66046383ab45e681344421cb3d4c7df4.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619616545.491625
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process comcat.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619616543.100625
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
Uses Windows utilities for basic Windows functionality (1 个事件)
cmdline C:\Windows\SysWOW64\NlsData001d\comcat.exe
网络通信
Communicates with host for which no DNS query was performed (7 个事件)
host 12.162.84.2
host 172.217.24.14
host 50.121.220.50
host 51.75.33.122
host 54.37.42.48
host 68.69.155.181
host 91.121.54.71
Installs itself for autorun at Windows startup (1 个事件)
service_name comcat service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\NlsData001d\comcat.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1619616529.882375
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x023fa420
display_name: comcat
error_control: 0
service_name: comcat
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\NlsData001d\comcat.exe"
filepath_r: "C:\Windows\SysWOW64\NlsData001d\comcat.exe"
service_manager_handle: 0x023e86a0
desired_access: 2
service_type: 16
password:
success 37725216 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619616548.116625
RegSetValueExA
key_handle: 0x000003ac
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619616548.116625
RegSetValueExA
key_handle: 0x000003ac
value: @E=Ù:<×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619616548.116625
RegSetValueExA
key_handle: 0x000003ac
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619616548.116625
RegSetValueExW
key_handle: 0x000003ac
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619616548.116625
RegSetValueExA
key_handle: 0x000003c4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619616548.116625
RegSetValueExA
key_handle: 0x000003c4
value: @E=Ù:<×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619616548.116625
RegSetValueExA
key_handle: 0x000003c4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619616548.132625
RegSetValueExW
key_handle: 0x000003a8
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\NlsData001d\comcat.exe:Zone.Identifier
File has been identified by 62 AntiVirus engines on VirusTotal as malicious (50 out of 62 个事件)
Bkav W32.AIDetectGBM.malware.02
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.69895
FireEye Generic.mg.66046383ab45e681
ALYac Trojan.Agent.Emotet
Cylance Unsafe
Zillya Trojan.Emotet.Win32.28365
AegisLab Trojan.Win32.Emotet.L!c
Sangfor Trojan.Win32.Emotet.ARJ
K7AntiVirus Riskware ( 0040eff71 )
Alibaba Trojan:Win32/Emotet.0eb349a2
K7GW Riskware ( 0040eff71 )
Cybereason malicious.3ab45e
Arcabit Trojan.Generic.D11107
Cyren W32/Emotet.ARY.gen!Eldorado
Symantec Trojan.Emotet
APEX Malicious
Paloalto generic.ml
ClamAV Win.Malware.Emotet-9752262-0
Kaspersky HEUR:Trojan-Banker.Win32.Emotet.pef
BitDefender Trojan.GenericKDZ.69895
NANO-Antivirus Trojan.Win32.Emotet.hubvut
Avast Win32:BankerX-gen [Trj]
Tencent Malware.Win32.Gencirc.10cdfd63
Ad-Aware Trojan.GenericKDZ.69895
Sophos Mal/Generic-R + Troj/Agent-BFMP
Comodo Malware@#2cye9j0v3e2a0
F-Secure Trojan.TR/Crypt.Agent.amtky
DrWeb Trojan.Emotet.1016
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.EMOTET.THJABBO
McAfee-GW-Edition BehavesLike.Win32.Emotet.dh
Emsisoft Trojan.Emotet (A)
SentinelOne Static AI - Suspicious PE
Jiangmin Trojan.Banker.Emotet.pff
Avira TR/Crypt.Agent.amtky
eGambit Generic.Malware
MAX malware (ai score=80)
Antiy-AVL Trojan[Banker]/Win32.Emotet
Kingsoft Win32.Troj.Banker.(kcloud)
Gridinsoft Trojan.Win32.Emotet.oa!s1
Microsoft Trojan:Win32/Emotet.ARJ!MTB
ZoneAlarm HEUR:Trojan-Banker.Win32.Emotet.pef
GData Trojan.GenericKDZ.69895
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.Generic.C4191953
McAfee Emotet-FSB!66046383AB45
TACHYON Banker/W32.Emotet.278528.G
VBA32 BScope.Backdoor.Emotet
Malwarebytes Trojan.Emotet
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (12 个事件)
dead_host 91.121.54.71:8080
dead_host 172.217.160.110:443
dead_host 172.217.24.14:443
dead_host 192.168.56.101:49199
dead_host 192.168.56.101:49188
dead_host 68.69.155.181:80
dead_host 12.162.84.2:8080
dead_host 51.75.33.122:80
dead_host 192.168.56.101:49187
dead_host 50.121.220.50:80
dead_host 192.168.56.101:49185
dead_host 54.37.42.48:8080
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-09-03 18:44:16

Imports

Library KERNEL32.dll:
0x4290b4 VirtualQuery
0x4290b8 GetStartupInfoA
0x4290bc GetCommandLineA
0x4290c0 HeapReAlloc
0x4290c4 TerminateProcess
0x4290c8 SetStdHandle
0x4290cc GetFileType
0x4290d0 HeapSize
0x4290d4 LCMapStringA
0x4290d8 LCMapStringW
0x4290dc HeapDestroy
0x4290e0 HeapCreate
0x4290e4 VirtualFree
0x4290e8 IsBadWritePtr
0x4290ec GetStdHandle
0x4290fc GetSystemInfo
0x429104 SetHandleCount
0x42910c GetCurrentProcessId
0x429118 GetStringTypeA
0x42911c GetStringTypeW
0x429124 IsBadReadPtr
0x429128 IsBadCodePtr
0x429130 VirtualAlloc
0x429134 VirtualProtect
0x429138 HeapFree
0x42913c HeapAlloc
0x429140 RtlUnwind
0x429144 GetTickCount
0x429148 SetErrorMode
0x42914c GetFileTime
0x429150 GetFileAttributesA
0x429158 CreateFileA
0x42915c GetFullPathNameA
0x429164 FindFirstFileA
0x429168 FindClose
0x42916c GetCurrentProcess
0x429170 DuplicateHandle
0x429174 GetFileSize
0x429178 SetEndOfFile
0x42917c UnlockFile
0x429180 LockFile
0x429184 FlushFileBuffers
0x429188 SetFilePointer
0x42918c WriteFile
0x429190 ReadFile
0x429198 GetOEMCP
0x42919c GetCPInfo
0x4291a0 GlobalFlags
0x4291a4 TlsFree
0x4291a8 LocalReAlloc
0x4291ac TlsSetValue
0x4291b0 TlsAlloc
0x4291b4 TlsGetValue
0x4291bc GlobalHandle
0x4291c0 GlobalReAlloc
0x4291c8 LocalAlloc
0x4291d4 RaiseException
0x4291e4 CloseHandle
0x4291e8 GetCurrentThread
0x4291ec lstrcmpA
0x4291f0 GetModuleFileNameA
0x4291fc lstrcpyA
0x429200 FreeResource
0x429204 GetCurrentThreadId
0x429208 GlobalGetAtomNameA
0x42920c GlobalAddAtomA
0x429210 GlobalFindAtomA
0x429214 GlobalDeleteAtom
0x429218 LoadLibraryA
0x42921c FreeLibrary
0x429220 lstrcatA
0x429224 lstrcmpW
0x429228 GetModuleHandleA
0x42922c GetProcAddress
0x429230 SetLastError
0x429234 GlobalFree
0x429238 MulDiv
0x42923c GlobalAlloc
0x429240 GlobalLock
0x429244 GlobalUnlock
0x429248 FormatMessageA
0x42924c lstrcpynA
0x429250 LocalFree
0x429254 CompareStringW
0x429258 CompareStringA
0x42925c lstrlenA
0x429260 lstrcmpiA
0x429264 GetVersion
0x429268 GetLastError
0x42926c MultiByteToWideChar
0x429270 WideCharToMultiByte
0x429274 FindResourceA
0x429278 LoadResource
0x42927c LockResource
0x429280 SizeofResource
0x429284 GetVersionExA
0x429288 GetThreadLocale
0x42928c GetLocaleInfoA
0x429290 GetACP
0x429294 InterlockedExchange
0x42929c ExitProcess
Library USER32.dll:
0x4292f0 PostThreadMessageA
0x4292f4 GetNextDlgGroupItem
0x4292f8 InvalidateRgn
0x4292fc InvalidateRect
0x429304 SetRect
0x429308 IsRectEmpty
0x42930c ReleaseCapture
0x429310 SetCapture
0x429314 CharNextA
0x429318 LoadCursorA
0x42931c GetSysColorBrush
0x429320 EndPaint
0x429324 BeginPaint
0x429328 GetWindowDC
0x42932c ReleaseDC
0x429330 GetDC
0x429334 ClientToScreen
0x429338 GrayStringA
0x42933c DrawTextExA
0x429340 DrawTextA
0x429344 TabbedTextOutA
0x429348 wsprintfA
0x42934c DestroyMenu
0x429354 MapDialogRect
0x429358 GetDesktopWindow
0x429360 GetNextDlgTabItem
0x429364 EndDialog
0x429368 GetMessageA
0x42936c TranslateMessage
0x429370 GetActiveWindow
0x429374 GetCursorPos
0x429378 ValidateRect
0x42937c SetCursor
0x429380 PostQuitMessage
0x429384 SetMenuItemBitmaps
0x429388 ModifyMenuA
0x42938c EnableMenuItem
0x429390 CheckMenuItem
0x429398 LoadBitmapA
0x42939c IsWindowEnabled
0x4293a0 MoveWindow
0x4293a4 SetWindowTextA
0x4293a8 IsDialogMessageA
0x4293b0 WinHelpA
0x4293b4 GetCapture
0x4293b8 CreateWindowExA
0x4293bc SetWindowsHookExA
0x4293c0 CallNextHookEx
0x4293c4 GetClassLongA
0x4293c8 GetClassInfoExA
0x4293cc GetClassNameA
0x4293d0 SetPropA
0x4293d4 GetPropA
0x4293d8 RemovePropA
0x4293dc SendDlgItemMessageA
0x4293e0 GetFocus
0x4293e4 IsWindow
0x4293e8 SetFocus
0x4293ec IsChild
0x4293f4 GetWindowTextA
0x4293f8 GetForegroundWindow
0x4293fc GetLastActivePopup
0x429400 SetActiveWindow
0x429404 DispatchMessageA
0x429408 GetDlgItem
0x42940c GetTopWindow
0x429410 DestroyWindow
0x429414 UnhookWindowsHookEx
0x429418 GetMessageTime
0x42941c GetMessagePos
0x429420 PeekMessageA
0x429424 MapWindowPoints
0x429428 MessageBoxA
0x42942c GetKeyState
0x429430 SetForegroundWindow
0x429434 IsWindowVisible
0x429438 UpdateWindow
0x42943c GetMenu
0x429440 PostMessageA
0x429444 GetSysColor
0x429448 AdjustWindowRectEx
0x42944c GetParent
0x429450 EqualRect
0x429454 GetClassInfoA
0x429458 RegisterClassA
0x42945c UnregisterClassA
0x429460 GetDlgCtrlID
0x429464 DefWindowProcA
0x429468 CallWindowProcA
0x42946c GetWindowLongA
0x429470 SetWindowLongA
0x429474 SetWindowPos
0x429478 OffsetRect
0x42947c IntersectRect
0x429484 MessageBeep
0x429488 GetWindowPlacement
0x42948c GetWindowRect
0x429490 CopyRect
0x429494 PtInRect
0x429498 GetWindow
0x42949c GetMenuState
0x4294a0 GetMenuItemID
0x4294a4 GetMenuItemCount
0x4294a8 GetSubMenu
0x4294ac CharUpperA
0x4294b0 GetSystemMetrics
0x4294b4 LoadIconA
0x4294b8 GetClientRect
0x4294bc IsIconic
0x4294c0 GetSystemMenu
0x4294c4 SendMessageA
0x4294c8 AppendMenuA
0x4294cc DrawIcon
0x4294d0 ShowWindow
0x4294d4 EnableWindow
Library GDI32.dll:
0x429030 GetBkColor
0x429034 GetTextColor
0x42903c GetRgnBox
0x429040 GetMapMode
0x429044 GetWindowExtEx
0x429048 GetViewportExtEx
0x42904c DeleteObject
0x429050 PtVisible
0x429054 GetStockObject
0x429058 DeleteDC
0x42905c ExtSelectClipRgn
0x429060 ScaleWindowExtEx
0x429064 SetWindowExtEx
0x429068 ScaleViewportExtEx
0x42906c SetViewportExtEx
0x429070 OffsetViewportOrgEx
0x429074 SetViewportOrgEx
0x429078 SelectObject
0x42907c Escape
0x429080 TextOutA
0x429084 GetDeviceCaps
0x429088 SetMapMode
0x42908c RestoreDC
0x429090 SaveDC
0x429094 ExtTextOutA
0x429098 CreateBitmap
0x42909c GetObjectA
0x4290a0 SetBkColor
0x4290a4 SetTextColor
0x4290a8 GetClipBox
0x4290ac RectVisible
Library comdlg32.dll:
0x429514 GetSaveFileNameA
0x429518 GetFileTitleA
0x42951c GetOpenFileNameA
Library WINSPOOL.DRV:
0x4294dc OpenPrinterA
0x4294e0 DocumentPropertiesA
0x4294e4 ClosePrinter
Library ADVAPI32.dll:
0x429000 RegOpenKeyA
0x429004 RegQueryValueExA
0x429008 RegOpenKeyExA
0x42900c RegDeleteKeyA
0x429010 RegEnumKeyA
0x429014 RegQueryValueA
0x429018 RegCreateKeyExA
0x42901c RegSetValueExA
0x429020 RegCloseKey
Library COMCTL32.dll:
0x429028
Library SHLWAPI.dll:
0x4292d8 PathFindFileNameA
0x4292dc PathStripToRootA
0x4292e0 PathFindExtensionA
0x4292e4 PathIsUNCA
Library oledlg.dll:
0x429564
Library ole32.dll:
0x429524 CoRevokeClassObject
0x429528 CLSIDFromProgID
0x42952c CLSIDFromString
0x429530 CoTaskMemFree
0x429534 CoTaskMemAlloc
0x429538 CoGetClassObject
0x429548 OleUninitialize
0x429554 OleFlushClipboard
0x42955c OleInitialize
Library OLEAUT32.dll:
0x4292ac SafeArrayDestroy
0x4292b0 VariantCopy
0x4292b4 SysAllocStringLen
0x4292b8 VariantInit
0x4292c0 SysStringLen
0x4292c4 SysAllocString
0x4292c8 VariantClear
0x4292cc SysFreeString
0x4292d0 VariantChangeType
Library WS2_32.dll:
0x4294ec WSAStartup
0x4294f0 send
0x4294f4 recv
0x4294f8 socket
0x4294fc inet_addr
0x429500 htons
0x429504 connect
0x429508 closesocket
0x42950c WSACleanup

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49193 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49194 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49191 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49189 203.208.41.66 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60911 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 54178 224.0.0.252 5355
192.168.56.101 54260 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=bd85de0d1a781f93&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619587457&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=bd85de0d1a781f93&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619587457&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619587698&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619587698&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.