10.2
0-day
48 个模型检测该样本为恶意!
重新分析
更多

fae4b68fd012b125798ff82a817de667df0820b6617d53a854054c356f324383

68133e7560881e602552ba12723c705a.exe

分析耗时

109s

最近分析

文件大小

420.0KB
静态报毒 动态报毒 100% AI SCORE=80 ATTRIBUTE AU0@AKOG7ZGI CKGENERIC CLASSIC CONFIDENCE ELDORADO EMOTET EMOTETGTP GCNV GENCIRC GENERICKDZ GENETIC HFTI HIGHCONFIDENCE KRYPTIK MALICIOUS NYRSJ R + TROJ R011C0DHS20 R349341 SUSGEN ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FRW!68133E756088 20200902 6.0.6.653
Alibaba Trojan:Win32/Emotet.c9f454a9 20190527 0.3.0.5
Avast Win32:Trojan-gen 20200902 18.4.3895.0
Tencent Malware.Win32.Gencirc.10cdf580 20200902 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20200902 2013.8.14.323
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1620782277.231501
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (5 个事件)
Time & API Arguments Status Return Repeated
1620782264.387501
CryptGenKey
crypto_handle: 0x0068b4d0
algorithm_identifier: 0x0000660e ()
provider_handle: 0x005c4470
flags: 1
key: fžƒ¯{ ©T†ßB˜Íù
success 1 0
1620782277.246501
CryptExportKey
crypto_handle: 0x0068b4d0
crypto_export_handle: 0x005c4538
buffer: f¤'2–8>ôKuæ„éð›÷,wçVþV±—CŒâhcÒµ®oñ‡ëb'z6Šî‡hoYFÅÿníÅ®“Âóqà MGÐ[ªo¯äÐyö‚»&&IV…f{}8‰ÂE3½óA
blob_type: 1
flags: 64
success 1 0
1620782305.621501
CryptExportKey
crypto_handle: 0x0068b4d0
crypto_export_handle: 0x005c4538
buffer: f¤Pimß+\âX ”“BqGÚö°‘ŒS‰rE‚±)£ÛŒySæ´'"´ RôëÙEߢÿ~>Îq”^úý!®Ä£Œxí4fšßÌUŸ*PðB–.¢Ý«ëüÒ¯ÑðÈVÂO
blob_type: 1
flags: 64
success 1 0
1620782329.715501
CryptExportKey
crypto_handle: 0x0068b4d0
crypto_export_handle: 0x005c4538
buffer: f¤íK媢ºÛäʔhžçdØ©ÕT{Å4§<„Â]ôdÓ»ÈYRÕvNFD™¼ë›U‡ÐU¥ÖȘ°6®víc{ÃøÙ °94L4Ñh²;w 3‹S™¶ýÛÇ2\/èp
blob_type: 1
flags: 64
success 1 0
1620782335.246501
CryptExportKey
crypto_handle: 0x0068b4d0
crypto_export_handle: 0x005c4538
buffer: f¤å‡ŒIÉaõâéHŽ<5(¿'…I°Œ÷§Ñtǁg“™}”bìAWêߖaðËþ:¼õÐÔ§à~ÎDç)¿ï-åNö*±òãÁ;úýI§3 ¬#®7"]Ö®V¶HY‰ 
blob_type: 1
flags: 64
success 1 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:3880156522&cup2hreq=bea49d0ec235bb4164d26d9121c07b95ac89f1109361fca1f9fc6a46da54728e
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620753373&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=a6d1218eba6b4b08&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620753373&mv=m&mvi=3
request POST https://update.googleapis.com/service/update2?cup2key=10:3880156522&cup2hreq=bea49d0ec235bb4164d26d9121c07b95ac89f1109361fca1f9fc6a46da54728e
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:3880156522&cup2hreq=bea49d0ec235bb4164d26d9121c07b95ac89f1109361fca1f9fc6a46da54728e
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1620782256.607249
NtAllocateVirtualMemory
process_identifier: 520
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x01ef0000
success 0 0
1620781886.87527
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004060000
success 0 0
1620782264.059501
NtAllocateVirtualMemory
process_identifier: 2236
region_size: 36864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x006d0000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 个事件)
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1620782257.966249
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\68133e7560881e602552ba12723c705a.exe
newfilepath: C:\Windows\SysWOW64\icm32\KBDUSX.exe
newfilepath_r: C:\Windows\SysWOW64\icm32\KBDUSX.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\68133e7560881e602552ba12723c705a.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620782278.918501
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
Expresses interest in specific running processes (1 个事件)
process kbdusx.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1620782278.246501
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (5 个事件)
host 116.125.120.88
host 172.217.24.14
host 71.197.211.156
host 87.118.70.45
host 91.121.54.71
Installs itself for autorun at Windows startup (1 个事件)
service_name KBDUSX service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\icm32\KBDUSX.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1620782262.341249
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x02d49100
display_name: KBDUSX
error_control: 0
service_name: KBDUSX
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\icm32\KBDUSX.exe"
filepath_r: "C:\Windows\SysWOW64\icm32\KBDUSX.exe"
service_manager_handle: 0x02d68988
desired_access: 2
service_type: 16
password:
success 47485184 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620782281.496501
RegSetValueExA
key_handle: 0x000003c4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620782281.496501
RegSetValueExA
key_handle: 0x000003c4
value: uÛÉF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620782281.496501
RegSetValueExA
key_handle: 0x000003c4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620782281.496501
RegSetValueExW
key_handle: 0x000003c4
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620782281.496501
RegSetValueExA
key_handle: 0x000003dc
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620782281.496501
RegSetValueExA
key_handle: 0x000003dc
value: uÛÉF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620782281.496501
RegSetValueExA
key_handle: 0x000003dc
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620782281.512501
RegSetValueExW
key_handle: 0x000003c0
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\icm32\KBDUSX.exe:Zone.Identifier
File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 个事件)
Bkav W32.EmotetGTP.Trojan
DrWeb Trojan.Emotet.1005
MicroWorld-eScan Trojan.GenericKDZ.69740
FireEye Generic.mg.68133e7560881e60
CAT-QuickHeal Trojan.CKGENERIC
McAfee Emotet-FRW!68133E756088
Malwarebytes Trojan.MalPack.TRE
Zillya Trojan.Emotet.Win32.25684
K7AntiVirus Trojan ( 005600261 )
Alibaba Trojan:Win32/Emotet.c9f454a9
K7GW Trojan ( 005600261 )
Arcabit Trojan.Generic.D1106C
TrendMicro TROJ_GEN.R011C0DHS20
BitDefenderTheta Gen:NN.ZexaF.34216.Au0@aKOG7zgi
Cyren W32/Emotet.ARC.gen!Eldorado
Symantec ML.Attribute.HighConfidence
TrendMicro-HouseCall TROJ_GEN.R011C0DHS20
Avast Win32:Trojan-gen
Kaspersky Trojan-Banker.Win32.Emotet.gcnv
BitDefender Trojan.GenericKDZ.69740
Paloalto generic.ml
ViRobot Trojan.Win32.Emotet.430080.B
Tencent Malware.Win32.Gencirc.10cdf580
Ad-Aware Trojan.GenericKDZ.69740
F-Secure Trojan.TR/Crypt.Agent.nyrsj
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/Generic-R + Troj/Emotet-CLV
Sophos Troj/Emotet-CLV
Ikarus Trojan-Banker.Emotet
Jiangmin Trojan.Banker.Emotet.ogb
Avira TR/Crypt.Agent.nyrsj
Antiy-AVL Trojan[Banker]/Win32.Emotet
Microsoft Trojan:Win32/Emotet.ARJ!MTB
AegisLab Trojan.Win32.Emotet.L!c
ZoneAlarm Trojan-Banker.Win32.Emotet.gcnv
GData Trojan.GenericKDZ.69740
AhnLab-V3 Trojan/Win32.Emotet.R349341
ALYac Trojan.GenericKDZ.69740
TACHYON Banker/W32.Emotet.430080.E
APEX Malicious
ESET-NOD32 Win32/Emotet.CD
Rising Trojan.Emotet!1.CB4A (CLASSIC)
MAX malware (ai score=80)
MaxSecure Trojan.Malware.105981105.susgen
Fortinet W32/Kryptik.HFTI!tr
AVG Win32:Trojan-gen
Panda Trj/Genetic.gen
CrowdStrike win/malicious_confidence_100% (W)
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (9 个事件)
dead_host 71.197.211.156:80
dead_host 192.168.56.101:49192
dead_host 172.217.24.14:443
dead_host 216.58.200.46:443
dead_host 192.168.56.101:49197
dead_host 116.125.120.88:443
dead_host 87.118.70.45:8080
dead_host 91.121.54.71:8080
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-26 17:00:32

Imports

Library KERNEL32.dll:
0x4300f0 SetErrorMode
0x4300f4 RtlUnwind
0x4300f8 HeapAlloc
0x4300fc HeapFree
0x430100 HeapReAlloc
0x430104 VirtualAlloc
0x430108 GetCommandLineA
0x43010c GetProcessHeap
0x430110 GetStartupInfoA
0x430114 RaiseException
0x430118 ExitThread
0x43011c CreateThread
0x430120 HeapSize
0x430124 TerminateProcess
0x430130 IsDebuggerPresent
0x430134 GetACP
0x430138 VirtualFree
0x43013c HeapDestroy
0x430140 HeapCreate
0x430144 GetStdHandle
0x430148 LCMapStringA
0x43014c LCMapStringW
0x430160 SetHandleCount
0x430164 GetFileType
0x43016c GetTickCount
0x430174 GetConsoleCP
0x430178 GetConsoleMode
0x43017c GetStringTypeA
0x430180 GetStringTypeW
0x430184 SetStdHandle
0x430188 WriteConsoleA
0x43018c GetConsoleOutputCP
0x430190 WriteConsoleW
0x430194 FlushFileBuffers
0x430198 SetFilePointer
0x43019c WriteFile
0x4301a0 ReadFile
0x4301a8 GetThreadLocale
0x4301ac GetOEMCP
0x4301b0 GetCPInfo
0x4301b4 GlobalFlags
0x4301b8 TlsFree
0x4301c0 LocalReAlloc
0x4301c4 TlsSetValue
0x4301c8 TlsAlloc
0x4301d0 GlobalHandle
0x4301d4 GlobalReAlloc
0x4301dc TlsGetValue
0x4301e4 LocalAlloc
0x4301ec GetCurrentProcessId
0x4301f0 SuspendThread
0x4301f4 ResumeThread
0x4301f8 SetThreadPriority
0x4301fc GetCurrentThread
0x430204 GetModuleFileNameA
0x43020c GetLocaleInfoA
0x430210 lstrcmpA
0x430218 GetModuleFileNameW
0x43021c FreeResource
0x430220 GlobalGetAtomNameA
0x430224 GlobalAddAtomA
0x430228 GlobalFindAtomA
0x43022c GlobalDeleteAtom
0x430230 lstrcmpW
0x430234 GetVersionExA
0x430238 GetModuleHandleA
0x43023c GetProcAddress
0x430240 GlobalFree
0x430244 FormatMessageA
0x430248 LocalFree
0x43024c MulDiv
0x430250 ExitProcess
0x430254 IsBadWritePtr
0x430258 CreateEventA
0x43025c SetEvent
0x430260 ReleaseMutex
0x430264 WaitForSingleObject
0x430268 CreateFileA
0x43026c CreateFileMappingA
0x430270 MapViewOfFile
0x430274 UnmapViewOfFile
0x430278 CloseHandle
0x43027c FlushViewOfFile
0x430284 LoadLibraryA
0x430288 FreeLibrary
0x43028c WinExec
0x430290 lstrlenA
0x430294 CompareStringA
0x430298 GetVersion
0x43029c MultiByteToWideChar
0x4302a0 InterlockedExchange
0x4302a4 CreateMutexA
0x4302a8 SetLastError
0x4302ac GetCurrentThreadId
0x4302b0 GetCurrentProcess
0x4302b4 GetLastError
0x4302bc Sleep
0x4302c0 GlobalAlloc
0x4302c4 GlobalLock
0x4302c8 GlobalUnlock
0x4302cc WideCharToMultiByte
0x4302d0 FindResourceA
0x4302d4 LoadResource
0x4302d8 LockResource
0x4302dc SizeofResource
Library USER32.dll:
0x43030c GetSysColorBrush
0x430310 UnregisterClassA
0x430314 GetNextDlgTabItem
0x430318 EndDialog
0x43031c IsWindowEnabled
0x430320 MoveWindow
0x430324 SetWindowTextA
0x430328 IsDialogMessageA
0x43032c SetMenuItemBitmaps
0x430334 LoadBitmapA
0x430338 ModifyMenuA
0x43033c EnableMenuItem
0x430340 CheckMenuItem
0x430344 SendDlgItemMessageA
0x430348 WinHelpA
0x43034c GetCapture
0x430350 SetWindowsHookExA
0x430354 CallNextHookEx
0x430358 GetClassLongA
0x43035c GetClassNameA
0x430360 SetPropA
0x430364 GetPropA
0x430368 RemovePropA
0x43036c GetFocus
0x430370 SetFocus
0x430378 GetWindowTextA
0x43037c GetForegroundWindow
0x430380 GetLastActivePopup
0x430384 SetActiveWindow
0x430388 DispatchMessageA
0x43038c GetDlgItem
0x430390 GetTopWindow
0x430394 UnhookWindowsHookEx
0x430398 GetMessageTime
0x43039c PeekMessageA
0x4303a0 MapWindowPoints
0x4303a4 GetKeyState
0x4303a8 SetForegroundWindow
0x4303ac IsWindowVisible
0x4303b0 UpdateWindow
0x4303b4 GetMenu
0x4303b8 PostMessageA
0x4303bc MessageBoxA
0x4303c0 GetClassInfoExA
0x4303c4 GetClassInfoA
0x4303c8 RegisterClassA
0x4303cc AdjustWindowRectEx
0x4303d0 CopyRect
0x4303d4 GetDlgCtrlID
0x4303d8 DefWindowProcA
0x4303dc CallWindowProcA
0x4303e0 GetWindowLongA
0x4303e4 SetWindowPos
0x4303ec GetWindowPlacement
0x4303f0 GetWindow
0x4303f4 EndPaint
0x4303f8 BeginPaint
0x4303fc ClientToScreen
0x430400 GetMenuState
0x430404 GetMenuItemID
0x430408 GetMenuItemCount
0x43040c GetClientRect
0x430410 InvalidateRect
0x430414 EnableWindow
0x430418 TabbedTextOutA
0x43041c DrawTextA
0x430420 DrawTextExA
0x430424 LoadIconA
0x430428 IsIconic
0x43042c GetSystemMenu
0x430430 AppendMenuA
0x430434 DrawIcon
0x430438 ShowWindow
0x43043c CreateWindowExA
0x430440 InSendMessage
0x430444 GetSystemMetrics
0x430448 LoadMenuA
0x43044c GetSubMenu
0x430450 DrawFocusRect
0x430458 SetWindowLongA
0x43045c CopyIcon
0x430460 GetMessageA
0x430464 TranslateMessage
0x430468 ValidateRect
0x43046c PostQuitMessage
0x430470 DestroyMenu
0x430474 GetCursorPos
0x430478 WindowFromPoint
0x43047c GetDesktopWindow
0x430480 GetActiveWindow
0x430484 DestroyWindow
0x43048c GrayStringA
0x430490 GetSysColor
0x430494 CloseClipboard
0x430498 OpenClipboard
0x43049c SetClipboardData
0x4304a0 EmptyClipboard
0x4304a4 SendMessageA
0x4304a8 IsWindow
0x4304ac wsprintfA
0x4304b4 GetThreadDesktop
0x4304b8 SetCursor
0x4304bc PtInRect
0x4304c0 DestroyCursor
0x4304c4 MessageBeep
0x4304c8 GetMessagePos
0x4304cc LoadCursorA
0x4304d0 GetParent
0x4304d4 KillTimer
0x4304d8 SetTimer
0x4304dc RedrawWindow
0x4304e0 ReleaseDC
0x4304e4 GetDC
0x4304e8 ScreenToClient
0x4304ec GetWindowRect
0x4304f0 InflateRect
0x4304f4 TrackPopupMenu
Library GDI32.dll:
0x430034 SelectObject
0x430038 SetViewportOrgEx
0x43003c OffsetViewportOrgEx
0x430040 SetViewportExtEx
0x430044 ScaleViewportExtEx
0x430048 SetWindowOrgEx
0x43004c SetWindowExtEx
0x430050 ScaleWindowExtEx
0x430054 DeleteDC
0x430058 CreateBitmap
0x43005c SelectClipRgn
0x430060 DeleteObject
0x430064 GetClipBox
0x430068 SetTextAlign
0x43006c MoveToEx
0x430070 LineTo
0x430074 CreatePen
0x430078 SetMapMode
0x43007c SetTextColor
0x430080 SetBkMode
0x430084 SetBkColor
0x430088 RestoreDC
0x43008c SaveDC
0x430090 GetDeviceCaps
0x430094 GetCharWidthA
0x43009c GetStockObject
0x4300a0 GetObjectA
0x4300a4 CreateFontIndirectA
0x4300a8 Escape
0x4300ac ExtTextOutA
0x4300b0 TextOutA
0x4300b4 RectVisible
0x4300b8 PtVisible
0x4300bc GetTextMetricsA
0x4300c0 BitBlt
0x4300c4 Polygon
0x4300c8 LPtoDP
0x4300cc DPtoLP
0x4300d0 GetMapMode
0x4300d4 GetBkColor
0x4300d8 CreateCompatibleDC
0x4300dc CreatePolygonRgn
0x4300e4 CreateFontA
0x4300e8 CreateSolidBrush
Library WINSPOOL.DRV:
0x4304fc ClosePrinter
0x430500 DocumentPropertiesA
0x430504 OpenPrinterA
Library ADVAPI32.dll:
0x430000 RegSetValueExA
0x430004 RegCreateKeyExA
0x430008 RegEnumKeyA
0x43000c RegDeleteKeyA
0x430010 RegQueryValueExA
0x430014 RegOpenKeyA
0x430018 RegOpenKeyExA
0x43001c RegQueryValueA
0x430020 RegCloseKey
0x430024 OpenProcessToken
0x430028 GetTokenInformation
0x43002c GetUserNameA
Library SHELL32.dll:
0x4302f4 ShellExecuteA
Library SHLWAPI.dll:
0x4302fc PathFindFileNameA
0x430300 PathFindExtensionA
Library OLEAUT32.dll:
0x4302e4 VariantClear
0x4302e8 VariantChangeType
0x4302ec VariantInit

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49194 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49195 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49191 203.208.40.34 update.googleapis.com 443
192.168.56.101 49193 203.208.41.65 redirector.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55169 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 60911 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 54991 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620753373&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620753373&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=a6d1218eba6b4b08&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620753373&mv=m&mvi=3 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=a6d1218eba6b4b08&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620753373&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.