11.2
0-day
59 个模型检测该样本为恶意!
重新分析
更多

8b4b21d822e12b84b00e5d954b517a6ef37986365ddc8694cb0a59e33c443b65

6895f0d23d781185f7a3f53f6e3dc76a.exe

分析耗时

100s

最近分析

文件大小

340.0KB
静态报毒 动态报毒 100% AI SCORE=100 CONFIDENCE CRYPTERX DOWNLOADER34 ELDORADO EMOTET EMOTETPMF EWAY GDNJ GENCIRC GENETIC HFZB HIGH CONFIDENCE HUCXWA KRYPTIK MALWARE@#2QK17FSMLBSX7 OBFUSE QRYOC0YXLYU R + TROJ R+VJV1RD3IU R350346 RDSLC S15732951 SCORE SUSGEN THJABBO TROJANBANKER UNSAFE VOBFUSAGENTHK VQ0@A4GWD6JI ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FSD!6895F0D23D78 20201022 6.0.6.653
Alibaba Trojan:Win32/Emotet.52bb0ca6 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:CrypterX-gen [Trj] 20201022 18.4.3895.0
Tencent Malware.Win32.Gencirc.10cdfdbe 20201022 1.0.0.1
Kingsoft 20201022 2013.8.14.323
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1620787563.305001
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (3 个事件)
Time & API Arguments Status Return Repeated
1620787549.086001
CryptGenKey
crypto_handle: 0x00564d58
algorithm_identifier: 0x0000660e ()
provider_handle: 0x005646c8
flags: 1
key: fèv<º>!Æ{Ùp ¯ÙÊ
success 1 0
1620787563.321001
CryptExportKey
crypto_handle: 0x00564d58
crypto_export_handle: 0x00564d18
buffer: f¤[‰l¯î%Áðóq%_  Ü%èF˜jáNŽ§$ÖãÑ%äÛÙ»MV³o/lੑZPen[·qaün£ã`㿀d\àò¤êykĽ6ƒ…Ñʸð#ð۞Ï
blob_type: 1
flags: 64
success 1 0
1620787590.977001
CryptExportKey
crypto_handle: 0x00564d58
crypto_export_handle: 0x00564d18
buffer: f¤ ð⼞'ÝÇë—‹ËÝíé™ ¼`øË3E{ƧÀ­¨QOÌ©ÓS&K&@‹>éàšwþöE9ÚçM'äÅ[ ûݛËðŽˆCù"p¸TEÝtœ¥Y£§ôJÖ½@
blob_type: 1
flags: 64
success 1 0
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name None
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:2641033048&cup2hreq=e69e359fe930290ce815bab4518467d48df96f68a6131ce0881c2b0413147ffe
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620758358&mv=u&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=168fdb9a5e630b18&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620758415&mv=m&mvi=3
request POST https://update.googleapis.com/service/update2?cup2key=10:2641033048&cup2hreq=e69e359fe930290ce815bab4518467d48df96f68a6131ce0881c2b0413147ffe
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:2641033048&cup2hreq=e69e359fe930290ce815bab4518467d48df96f68a6131ce0881c2b0413147ffe
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1620762798.015375
NtAllocateVirtualMemory
process_identifier: 1320
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00530000
success 0 0
1620762855.047
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004020000
success 0 0
1620787548.711001
NtAllocateVirtualMemory
process_identifier: 1752
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x007b0000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1620762798.031375
NtProtectVirtualMemory
process_identifier: 1320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 28672
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x00551000
success 0 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1620762798.749375
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6895f0d23d781185f7a3f53f6e3dc76a.exe
newfilepath: C:\Windows\SysWOW64\NlsLexicons0003\KBDSW.exe
newfilepath_r: C:\Windows\SysWOW64\NlsLexicons0003\KBDSW.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\6895f0d23d781185f7a3f53f6e3dc76a.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620787563.743001
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)
entropy 6.990463235002245 section {'size_of_data': '0x00010000', 'virtual_address': '0x00049000', 'entropy': 6.990463235002245, 'name': '.rsrc', 'virtual_size': '0x0000ffe8'} description A section with a high entropy has been found
Expresses interest in specific running processes (1 个事件)
process kbdsw.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1620787563.477001
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (3 个事件)
host 172.217.24.14
host 185.215.227.107
host 51.38.124.206
Installs itself for autorun at Windows startup (1 个事件)
service_name KBDSW service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\NlsLexicons0003\KBDSW.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1620762803.062375
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x02b816c0
display_name: KBDSW
error_control: 0
service_name: KBDSW
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\NlsLexicons0003\KBDSW.exe"
filepath_r: "C:\Windows\SysWOW64\NlsLexicons0003\KBDSW.exe"
service_manager_handle: 0x02b81080
desired_access: 2
service_type: 16
password:
success 45618880 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620787567.024001
RegSetValueExA
key_handle: 0x000003c0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620787567.024001
RegSetValueExA
key_handle: 0x000003c0
value: ™1ÈF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620787567.024001
RegSetValueExA
key_handle: 0x000003c0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620787567.024001
RegSetValueExW
key_handle: 0x000003c0
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620787567.024001
RegSetValueExA
key_handle: 0x000003d8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620787567.024001
RegSetValueExA
key_handle: 0x000003d8
value: ™1ÈF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620787567.024001
RegSetValueExA
key_handle: 0x000003d8
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620787567.040001
RegSetValueExW
key_handle: 0x000003bc
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\NlsLexicons0003\KBDSW.exe:Zone.Identifier
File has been identified by 59 AntiVirus engines on VirusTotal as malicious (50 out of 59 个事件)
Bkav W32.VobfusAgentHK.Trojan
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.Agent.EWAY
FireEye Generic.mg.6895f0d23d781185
CAT-QuickHeal Trojan.EmotetPMF.S15732951
Qihoo-360 Generic/Trojan.0c2
McAfee Emotet-FSD!6895F0D23D78
Cylance Unsafe
Zillya Trojan.Emotet.Win32.28383
Sangfor Malware
K7AntiVirus Trojan ( 0056dc831 )
Alibaba Trojan:Win32/Emotet.52bb0ca6
K7GW Trojan ( 0056de091 )
Arcabit Trojan.Agent.EWAY
Invincea Mal/Generic-R + Troj/Emotet-CLZ
Cyren W32/Kryptik.BWJ.gen!Eldorado
Symantec Packed.Generic.554
APEX Malicious
Avast Win32:CrypterX-gen [Trj]
ClamAV Win.Malware.Emotet-9753021-0
Kaspersky Trojan-Banker.Win32.Emotet.gdnj
BitDefender Trojan.Agent.EWAY
NANO-Antivirus Trojan.Win32.Emotet.hucxwa
Paloalto generic.ml
AegisLab Trojan.Win32.Emotet.L!c
Tencent Malware.Win32.Gencirc.10cdfdbe
Ad-Aware Trojan.Agent.EWAY
Emsisoft Trojan.Emotet (A)
Comodo Malware@#2qk17fsmlbsx7
F-Secure Trojan.TR/Crypt.Agent.rdslc
DrWeb Trojan.DownLoader34.32251
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.EMOTET.THJABBO
McAfee-GW-Edition BehavesLike.Win32.Emotet.fh
Sophos Troj/Emotet-CLZ
Jiangmin Trojan.Banker.Emotet.oie
Avira TR/Crypt.Agent.rdslc
MAX malware (ai score=100)
Antiy-AVL Trojan[Banker]/Win32.Emotet
Microsoft Trojan:Win32/Emotet.ARK!MTB
ZoneAlarm Trojan-Banker.Win32.Emotet.gdnj
GData Trojan.Agent.EWAY
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Emotet.R350346
VBA32 TrojanBanker.Emotet
ALYac Trojan.Agent.Emotet
TACHYON Trojan/W32.Agent.348160.ALL
Malwarebytes Trojan.Agent
ESET-NOD32 a variant of Win32/Kryptik.HFZB
TrendMicro-HouseCall TrojanSpy.Win32.EMOTET.THJABBO
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 个事件)
dead_host 51.38.124.206:80
dead_host 172.217.160.110:443
dead_host 172.217.24.14:443
dead_host 185.215.227.107:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-09-05 01:09:21

Imports

Library KERNEL32.dll:
0x4340b4 GetFileTime
0x4340b8 GetTickCount
0x4340bc HeapFree
0x4340c0 RtlUnwind
0x4340c4 VirtualProtect
0x4340c8 VirtualAlloc
0x4340cc GetSystemInfo
0x4340d0 VirtualQuery
0x4340d4 HeapAlloc
0x4340d8 HeapReAlloc
0x4340dc GetCommandLineA
0x4340e0 GetProcessHeap
0x4340e4 GetStartupInfoA
0x4340e8 RaiseException
0x4340ec ExitProcess
0x4340f0 HeapSize
0x4340f4 HeapDestroy
0x4340f8 HeapCreate
0x4340fc VirtualFree
0x434100 TerminateProcess
0x43410c IsDebuggerPresent
0x434110 GetACP
0x434114 LCMapStringA
0x434118 GetFileAttributesA
0x43411c GetStdHandle
0x434120 Sleep
0x434134 SetHandleCount
0x434138 GetFileType
0x434144 GetStringTypeA
0x434148 GetStringTypeW
0x434150 GetConsoleCP
0x434154 GetConsoleMode
0x434158 SetStdHandle
0x43415c WriteConsoleA
0x434160 GetConsoleOutputCP
0x434164 WriteConsoleW
0x434170 SetErrorMode
0x434178 GetOEMCP
0x43417c GetCPInfo
0x434180 CreateFileA
0x434184 GetFullPathNameA
0x43418c FindFirstFileA
0x434190 FindClose
0x434194 GetCurrentProcess
0x434198 DuplicateHandle
0x43419c GetThreadLocale
0x4341a0 GetFileSize
0x4341a4 SetEndOfFile
0x4341a8 UnlockFile
0x4341ac LockFile
0x4341b0 FlushFileBuffers
0x4341b4 SetFilePointer
0x4341b8 WriteFile
0x4341bc ReadFile
0x4341c0 GlobalFlags
0x4341c4 TlsFree
0x4341cc LocalReAlloc
0x4341d0 TlsSetValue
0x4341d4 TlsAlloc
0x4341dc GlobalHandle
0x4341e0 GlobalReAlloc
0x4341e8 TlsGetValue
0x4341f0 LocalAlloc
0x4341fc GetModuleFileNameW
0x434200 GlobalGetAtomNameA
0x434204 GlobalFindAtomA
0x434208 lstrcmpW
0x43420c GetVersionExA
0x434214 FreeResource
0x434218 GetCurrentProcessId
0x43421c GlobalAddAtomA
0x434220 CloseHandle
0x434224 GetCurrentThread
0x434228 GetCurrentThreadId
0x434230 GetModuleFileNameA
0x434238 GetLocaleInfoA
0x43423c LoadLibraryA
0x434240 lstrcmpA
0x434244 FreeLibrary
0x434248 GlobalDeleteAtom
0x43424c GetModuleHandleA
0x434250 SetLastError
0x434254 GlobalFree
0x434258 GlobalAlloc
0x43425c GlobalLock
0x434260 GlobalUnlock
0x434264 FormatMessageA
0x434268 LocalFree
0x43426c MulDiv
0x434270 LoadResource
0x434274 LockResource
0x434278 SizeofResource
0x43427c FindResourceA
0x434280 LoadLibraryW
0x434284 GetProcAddress
0x434288 GetLastError
0x43428c lstrlenA
0x434290 WideCharToMultiByte
0x434294 CompareStringA
0x434298 CompareStringW
0x43429c MultiByteToWideChar
0x4342a0 GetVersion
0x4342a4 LCMapStringW
0x4342a8 InterlockedExchange
Library USER32.dll:
0x4342fc UnregisterClassA
0x434304 PostThreadMessageA
0x434308 ReleaseCapture
0x43430c SetCapture
0x434310 LoadCursorA
0x434314 GetSysColorBrush
0x434318 EndPaint
0x43431c BeginPaint
0x434320 GetWindowDC
0x434324 ReleaseDC
0x434328 GetDC
0x43432c ClientToScreen
0x434330 GrayStringA
0x434334 DrawTextExA
0x434338 DrawTextA
0x43433c TabbedTextOutA
0x434340 DestroyMenu
0x434344 ShowWindow
0x434348 MoveWindow
0x43434c SetWindowTextA
0x434350 IsDialogMessageA
0x434358 SendDlgItemMessageA
0x43435c WinHelpA
0x434360 IsChild
0x434364 GetCapture
0x434368 GetClassLongA
0x43436c SetPropA
0x434370 GetPropA
0x434374 RemovePropA
0x434378 SetFocus
0x434380 GetWindowTextA
0x434384 MessageBeep
0x434388 GetTopWindow
0x43438c UnhookWindowsHookEx
0x434390 GetMessageTime
0x434394 GetMessagePos
0x434398 MapWindowPoints
0x43439c SetForegroundWindow
0x4343a0 UpdateWindow
0x4343a4 GetMenu
0x4343a8 CreateWindowExA
0x4343ac GetClassInfoExA
0x4343b0 GetClassInfoA
0x4343b4 RegisterClassA
0x4343b8 GetSysColor
0x4343bc AdjustWindowRectEx
0x4343c0 EqualRect
0x4343c4 CopyRect
0x4343c8 PtInRect
0x4343cc GetDlgCtrlID
0x4343d0 DefWindowProcA
0x4343d4 CallWindowProcA
0x4343d8 SetWindowLongA
0x4343dc OffsetRect
0x4343e0 IntersectRect
0x4343e8 GetWindowPlacement
0x4343ec GetWindowRect
0x4343f0 GetWindow
0x4343f8 MapDialogRect
0x4343fc SetWindowPos
0x434400 GetDesktopWindow
0x434404 CharUpperA
0x434408 EnableWindow
0x43440c LoadIconA
0x434410 SetActiveWindow
0x434418 DestroyWindow
0x43441c IsWindow
0x434420 GetDlgItem
0x434424 GetNextDlgTabItem
0x434428 EndDialog
0x434430 GetWindowLongA
0x434434 GetLastActivePopup
0x434438 IsWindowEnabled
0x43443c MessageBoxA
0x434440 GetNextDlgGroupItem
0x434444 InvalidateRgn
0x434448 InvalidateRect
0x43444c SetRect
0x434450 IsRectEmpty
0x434454 SetCursor
0x434458 SetWindowsHookExA
0x434460 CharNextA
0x434464 GetForegroundWindow
0x434468 SendMessageA
0x43446c AppendMenuA
0x434470 GetSystemMenu
0x434474 DrawIcon
0x434478 GetClientRect
0x43447c GetSystemMetrics
0x434480 IsIconic
0x434484 GetSubMenu
0x434488 GetMenuItemCount
0x43448c GetMenuItemID
0x434490 GetMenuState
0x434494 PostQuitMessage
0x434498 PostMessageA
0x43449c CheckMenuItem
0x4344a0 EnableMenuItem
0x4344a4 ModifyMenuA
0x4344a8 GetParent
0x4344ac GetFocus
0x4344b0 LoadBitmapA
0x4344b8 SetMenuItemBitmaps
0x4344bc ValidateRect
0x4344c0 GetCursorPos
0x4344c4 PeekMessageA
0x4344c8 GetKeyState
0x4344cc IsWindowVisible
0x4344d0 GetActiveWindow
0x4344d4 DispatchMessageA
0x4344d8 TranslateMessage
0x4344dc GetMessageA
0x4344e0 CallNextHookEx
0x4344e4 GetClassNameA
Library GDI32.dll:
0x434030 ScaleWindowExtEx
0x434034 ExtSelectClipRgn
0x434038 DeleteDC
0x43403c GetStockObject
0x434040 SetWindowExtEx
0x434044 GetBkColor
0x434048 GetTextColor
0x434050 GetRgnBox
0x434054 GetMapMode
0x434058 ScaleViewportExtEx
0x43405c SetViewportExtEx
0x434060 OffsetViewportOrgEx
0x434064 SetViewportOrgEx
0x434068 SelectObject
0x43406c Escape
0x434070 TextOutA
0x434074 RectVisible
0x434078 PtVisible
0x43407c GetDeviceCaps
0x434080 GetViewportExtEx
0x434084 DeleteObject
0x434088 SetMapMode
0x43408c RestoreDC
0x434090 SaveDC
0x434094 ExtTextOutA
0x434098 GetObjectA
0x43409c SetBkColor
0x4340a0 SetTextColor
0x4340a4 GetClipBox
0x4340a8 CreateBitmap
0x4340ac GetWindowExtEx
Library comdlg32.dll:
0x4344fc GetFileTitleA
Library WINSPOOL.DRV:
0x4344ec DocumentPropertiesA
0x4344f0 OpenPrinterA
0x4344f4 ClosePrinter
Library ADVAPI32.dll:
0x434000 RegOpenKeyExA
0x434004 RegQueryValueA
0x434008 RegEnumKeyA
0x43400c RegDeleteKeyA
0x434010 RegCloseKey
0x434014 RegOpenKeyA
0x434018 RegSetValueExA
0x43401c RegCreateKeyExA
0x434020 RegQueryValueExA
Library COMCTL32.dll:
0x434028
Library SHLWAPI.dll:
0x4342e8 PathFindFileNameA
0x4342ec PathStripToRootA
0x4342f0 PathFindExtensionA
0x4342f4 PathIsUNCA
Library oledlg.dll:
0x434544
Library ole32.dll:
0x434504 OleInitialize
0x43450c OleUninitialize
0x43451c CoGetClassObject
0x434520 CLSIDFromString
0x434524 CoRevokeClassObject
0x434528 CoTaskMemAlloc
0x43452c CoTaskMemFree
0x434534 OleFlushClipboard
0x43453c CLSIDFromProgID
Library OLEAUT32.dll:
0x4342b0 SysAllocStringLen
0x4342b4 VariantClear
0x4342b8 VariantChangeType
0x4342bc VariantInit
0x4342c0 SysStringLen
0x4342d4 SafeArrayDestroy
0x4342d8 SysAllocString
0x4342dc VariantCopy
0x4342e0 SysFreeString

Exports

Ordinal Address Name
1 0x401b20 UUACZDADWAJJJJJ

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49190 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49191 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49189 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49186 203.208.41.66 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 54260 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620758358&mv=u&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620758358&mv=u&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=168fdb9a5e630b18&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620758415&mv=m&mvi=3 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=168fdb9a5e630b18&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620758415&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.