SmartHawk

7.8

高危

56 个模型检测该样本为恶意！

重新分析

下载样本

3cb8655a68e31801726b1f8418b0553ea2110a269652f1cd761ceb455f0aad2e

9285e6481b7fb7ed15f0e70e256e7ff8.exe

分析耗时

75s

最近分析

文件大小

260.0KB

静态报毒动态报毒 AI SCORE=85 AIDETECTVM CLASSIC CONFIDENCE ELDORADO EMOTET GCVV GENCIRC GENERICKDZ HIGH CONFIDENCE HTTQBA MALWARE1 MALWARE@#4H8TELIY66YF QQ0@AAUOHQJI R + TROJ R057C0DHU20 R349641 SCORE SUSPICIOUS PE TROJANBANKER UNSAFE UZNZU ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/Emotet.b0c750f1	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:Malware-gen	20200923	18.4.3895.0
Kingsoft		20200923	2013.8.14.323
McAfee		20200922	6.0.6.653
Tencent	Malware.Win32.Gencirc.10cdfaad	20200923	1.0.0.1
CrowdStrike	win/malicious_confidence_70% (D)	20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686139.972915 GetComputerNameA	computer_name: OSKAR-PC	success	1	0

Uses Windows APIs to generate a cryptographic key (4 个事件)

Time & API	Arguments	Status	Return
1619686131.832915 CryptGenKey	crypto_handle: 0x002841b8 algorithm_identifier: 0x0000660e () provider_handle: 0x00295348 flags: 1 key: f¸pÇáËVyÛ>Î&Ç	success	1
1619686139.988915 CryptExportKey	crypto_handle: 0x002841b8 crypto_export_handle: 0x00284138 buffer: f¤ª{6/ö,\|ô¢Ç©O 7À;1H) ½ô&¹JOáÐÍØ7AÐ<º\|Ýø^÷¤e\¥×Ãûïk\|ÓR@)þç[ÌÂÆKò<·uägvhîVÚg.}l blob_type: 1 flags: 64	success	1
1619686175.003915 CryptExportKey	crypto_handle: 0x002841b8 crypto_export_handle: 0x00284138 buffer: f¤ñºdëòÃ ¸ÜpfZÐý0'¯_pÑ!ÁyµÄÔO}zÎ4ÖL->xc§î¤«¿àæ,õ´´!¦ÙÊÀcYaª 4 blob_type: 1 flags: 64	success	1
1619686180.582915 CryptExportKey	crypto_handle: 0x002841b8 crypto_export_handle: 0x00284138 buffer: f¤FWõ>K) ÷ô9Hjµ/sð2S*mX\ÆÜS=?#'26yþÛÐ®J8½6×ºSêPXá ü oß1#Þð"¨ðTÛ8×ù©eó7ÕT·C blob_type: 1 flags: 64	success	1

The executable uses a known packer (1 个事件)

packer

Armadillo v1.71

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:2930426797&cup2hreq=c16309c7191a2d109571ddddd8655a9f953e3eac4e0706eab96afd91ebd519c7

Performs some HTTP requests (5 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619657535&mv=m&mvi=1&pl=23&shardbypass=yes
request	HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=a6681797c21b89fa&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619657535&mv=m
request	GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=a6681797c21b89fa&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619657535&mv=m
request	POST https://update.googleapis.com/service/update2?cup2key=10:2930426797&cup2hreq=c16309c7191a2d109571ddddd8655a9f953e3eac4e0706eab96afd91ebd519c7

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:2930426797&cup2hreq=c16309c7191a2d109571ddddd8655a9f953e3eac4e0706eab96afd91ebd519c7

Allocates read-write-execute memory (usually to unpack itself) (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686131.175915 NtAllocateVirtualMemory	process_identifier: 2244 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01e30000	success	0	0
1619686131.207915 NtAllocateVirtualMemory	process_identifier: 2244 region_size: 36864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x02210000	success	0	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (45 个事件)

Time & API	Arguments	Status	Return
1619686131.566915 Process32FirstW	process_name: [System Process] snapshot_handle: 0x00000144 process_identifier: 0	success	1
1619686131.566915 Process32NextW	process_name: System snapshot_handle: 0x00000144 process_identifier: 4	success	1
1619686131.566915 Process32NextW	process_name: smss.exe snapshot_handle: 0x00000144 process_identifier: 276	success	1
1619686131.566915 Process32NextW	process_name: csrss.exe snapshot_handle: 0x00000144 process_identifier: 372	success	1
1619686131.566915 Process32NextW	process_name: csrss.exe snapshot_handle: 0x00000144 process_identifier: 424	success	1
1619686131.566915 Process32NextW	process_name: wininit.exe snapshot_handle: 0x00000144 process_identifier: 432	success	1
1619686131.566915 Process32NextW	process_name: services.exe snapshot_handle: 0x00000144 process_identifier: 476	success	1
1619686131.566915 Process32NextW	process_name: winlogon.exe snapshot_handle: 0x00000144 process_identifier: 508	success	1
1619686131.582915 Process32NextW	process_name: lsass.exe snapshot_handle: 0x00000144 process_identifier: 536	success	1
1619686131.582915 Process32NextW	process_name: lsm.exe snapshot_handle: 0x00000144 process_identifier: 544	success	1
1619686131.582915 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000144 process_identifier: 656	success	1
1619686131.582915 Process32NextW	process_name: VBoxService.exe snapshot_handle: 0x00000144 process_identifier: 720	success	1
1619686131.582915 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000144 process_identifier: 788	success	1
1619686131.582915 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000144 process_identifier: 868	success	1
1619686131.582915 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000144 process_identifier: 924	success	1
1619686131.582915 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000144 process_identifier: 956	success	1
1619686131.582915 Process32NextW	process_name: audiodg.exe snapshot_handle: 0x00000144 process_identifier: 112	success	1
1619686131.582915 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000144 process_identifier: 540	success	1
1619686131.582915 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000144 process_identifier: 1080	success	1
1619686131.582915 Process32NextW	process_name: spoolsv.exe snapshot_handle: 0x00000144 process_identifier: 1260	success	1
1619686131.582915 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000144 process_identifier: 1288	success	1
1619686131.582915 Process32NextW	process_name: taskhost.exe snapshot_handle: 0x00000144 process_identifier: 1336	success	1
1619686131.582915 Process32NextW	process_name: dwm.exe snapshot_handle: 0x00000144 process_identifier: 1384	success	1
1619686131.582915 Process32NextW	process_name: explorer.exe snapshot_handle: 0x00000144 process_identifier: 1424	success	1
1619686131.582915 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000144 process_identifier: 1592	success	1
1619686131.582915 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000144 process_identifier: 1980	success	1
1619686131.582915 Process32NextW	process_name: taskeng.exe snapshot_handle: 0x00000144 process_identifier: 1240	success	1
1619686131.582915 Process32NextW	process_name: VBoxTray.exe snapshot_handle: 0x00000144 process_identifier: 2072	success	1
1619686131.582915 Process32NextW	process_name: SearchIndexer.exe snapshot_handle: 0x00000144 process_identifier: 2380	success	1
1619686131.582915 Process32NextW	process_name: wmpnetwk.exe snapshot_handle: 0x00000144 process_identifier: 2460	success	1
1619686131.582915 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000144 process_identifier: 2672	success	1
1619686131.582915 Process32NextW	process_name: SearchProtocolHost.exe snapshot_handle: 0x00000144 process_identifier: 2744	success	1
1619686131.582915 Process32NextW	process_name: SearchFilterHost.exe snapshot_handle: 0x00000144 process_identifier: 2784	success	1
1619686131.582915 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000144 process_identifier: 2884	success	1
1619686131.582915 Process32NextW	process_name: SearchProtocolHost.exe snapshot_handle: 0x00000144 process_identifier: 2940	success	1
1619686131.582915 Process32NextW	process_name: pythonw.exe snapshot_handle: 0x00000144 process_identifier: 2132	success	1
1619686131.582915 Process32NextW	process_name: pythonw.exe snapshot_handle: 0x00000144 process_identifier: 1380	success	1
1619686131.582915 Process32NextW	process_name: mobsync.exe snapshot_handle: 0x00000144 process_identifier: 2116	success	1
1619686131.582915 Process32NextW	process_name: wsqmcons.exe snapshot_handle: 0x00000144 process_identifier: 2344	success	1
1619686131.582915 Process32NextW	process_name: dllhost.exe snapshot_handle: 0x00000144 process_identifier: 2856	success	1
1619686131.582915 Process32NextW	process_name: sdclt.exe snapshot_handle: 0x00000144 process_identifier: 2636	success	1
1619686131.582915 Process32NextW	process_name: taskhost.exe snapshot_handle: 0x00000144 process_identifier: 2228	success	1
1619686131.582915 Process32NextW	process_name: 9285e6481b7fb7ed15f0e70e256e7ff8.exe snapshot_handle: 0x00000144 process_identifier: 2244	success	1
1619686139.988915 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x00000150 process_identifier: 200	success	1
1619686175.003915 Process32NextW	process_name: GoogleUpdate.exe snapshot_handle: 0x00000394 process_identifier: 2548	success	1

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686140.535915 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

Expresses interest in specific running processes (1 个事件)

process

9285e6481b7fb7ed15f0e70e256e7ff8.exe

Reads the systems User Agent and subsequently performs requests (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619686140.191915 InternetOpenW	proxy_bypass: access_type: 0 proxy_name: flags: 0 user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	success	13369348	0

Communicates with host for which no DNS query was performed (4 个事件)

host	172.217.24.14
host	209.236.123.42
host	45.16.226.117
host	91.121.54.71

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1619686143.128915 RegSetValueExA	key_handle: 0x00000394 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619686143.128915 RegSetValueExA	key_handle: 0x00000394 value: ð±}Ç<× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619686143.128915 RegSetValueExA	key_handle: 0x00000394 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619686143.128915 RegSetValueExW	key_handle: 0x00000394 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619686143.128915 RegSetValueExA	key_handle: 0x000003ac value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619686143.128915 RegSetValueExA	key_handle: 0x000003ac value: ð±}Ç<× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619686143.128915 RegSetValueExA	key_handle: 0x000003ac value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619686143.160915 RegSetValueExW	key_handle: 0x00000390 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKDZ.69816
FireEye	Generic.mg.9285e6481b7fb7ed
Qihoo-360	Win32/Trojan.570
ALYac	Trojan.Agent.Emotet
Cylance	Unsafe
Zillya	Trojan.Emotet.Win32.27694
K7AntiVirus	Riskware ( 0040eff71 )
Alibaba	Trojan:Win32/Emotet.b0c750f1
K7GW	Riskware ( 0040eff71 )
Cybereason	malicious.8d6cf9
Arcabit	Trojan.Generic.D110B8
Invincea	Mal/Generic-R + Troj/Emotet-CMG
BitDefenderTheta	Gen:NN.ZexaF.34254.qq0@aaUOhQji
Cyren	W32/Emotet.ARO.gen!Eldorado
Symantec	Packed.Generic.554
APEX	Malicious
Paloalto	generic.ml
Kaspersky	Trojan-Banker.Win32.Emotet.gcvv
BitDefender	Trojan.GenericKDZ.69816
NANO-Antivirus	Trojan.Win32.Emotet.httqba
Avast	Win32:Malware-gen
Rising	Trojan.Emotet!1.CB4C (CLASSIC)
Ad-Aware	Trojan.GenericKDZ.69816
TACHYON	Trojan/W32.Agent.266240.AON
Emsisoft	Trojan.Emotet (A)
Comodo	Malware@#4h8teliy66yf
F-Secure	Trojan.TR/Emotet.uznzu
DrWeb	Trojan.Emotet.1006
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R057C0DHU20
McAfee-GW-Edition	Emotet-FRZ!9285E6481B7F
Sophos	Troj/Emotet-CMG
Ikarus	Trojan-Banker.Emotet
Jiangmin	Trojan.Banker.Emotet.ogo
Avira	TR/Emotet.uznzu
Antiy-AVL	Trojan[Banker]/Win32.Emotet
Microsoft	Trojan:Win32/Emotet.PBM!MTB
AegisLab	Trojan.Win32.Emotet.L!c
ZoneAlarm	Trojan-Banker.Win32.Emotet.gcvv
GData	Trojan.GenericKDZ.69816
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Emotet.R349641
MAX	malware (ai score=85)
VBA32	TrojanBanker.Emotet
Malwarebytes	Trojan.Emotet
ESET-NOD32	Win32/Emotet.CD
TrendMicro-HouseCall	TROJ_GEN.R057C0DHU20
Tencent	Malware.Win32.Gencirc.10cdfaad

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (4 个事件)

dead_host	45.16.226.117:443
dead_host	91.121.54.71:8080
dead_host	192.168.56.101:49180
dead_host	209.236.123.42:8080

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-08-29 00:24:00

Imports

Library MFC42.DLL:

• 0x404034

• 0x404038

• 0x40403c

• 0x404040

• 0x404044

• 0x404048

• 0x40404c

• 0x404050

• 0x404054

• 0x404058

• 0x40405c

• 0x404060

• 0x404064

• 0x404068

• 0x40406c

• 0x404070

• 0x404074

• 0x404078

• 0x40407c

• 0x404080

• 0x404084

• 0x404088

• 0x40408c

• 0x404090

• 0x404094

• 0x404098

• 0x40409c

• 0x4040a0

• 0x4040a4

• 0x4040a8

• 0x4040ac

• 0x4040b0

• 0x4040b4

• 0x4040b8

• 0x4040bc

• 0x4040c0

• 0x4040c4

• 0x4040c8

• 0x4040cc

• 0x4040d0

• 0x4040d4

• 0x4040d8

• 0x4040dc

• 0x4040e0

• 0x4040e4

• 0x4040e8

• 0x4040ec

• 0x4040f0

• 0x4040f4

• 0x4040f8

• 0x4040fc

• 0x404100

• 0x404104

• 0x404108

• 0x40410c

• 0x404110

• 0x404114

• 0x404118

• 0x40411c

• 0x404120

• 0x404124

• 0x404128

• 0x40412c

• 0x404130

• 0x404134

• 0x404138

• 0x40413c

• 0x404140

• 0x404144

• 0x404148

• 0x40414c

• 0x404150

• 0x404154

• 0x404158

• 0x40415c

• 0x404160

• 0x404164

• 0x404168

• 0x40416c

• 0x404170

• 0x404174

• 0x404178

• 0x40417c

• 0x404180

• 0x404184

• 0x404188

• 0x40418c

• 0x404190

• 0x404194

• 0x404198

• 0x40419c

• 0x4041a0

• 0x4041a4

• 0x4041a8

• 0x4041ac

• 0x4041b0

• 0x4041b4

• 0x4041b8

• 0x4041bc

• 0x4041c0

• 0x4041c4

• 0x4041c8

• 0x4041cc

• 0x4041d0

• 0x4041d4

• 0x4041d8

• 0x4041dc

• 0x4041e0

• 0x4041e4

• 0x4041e8

• 0x4041ec

• 0x4041f0

• 0x4041f4

Library MSVCRT.dll:

• 0x4041fc ??1type_info@@UAE@XZ

• 0x404200 _except_handler3

• 0x404204 __set_app_type

• 0x404208 __p__fmode

• 0x40420c _setmbcp

• 0x404210 __CxxFrameHandler

• 0x404214 strlen

• 0x404218 sprintf

• 0x40421c _ftol

• 0x404220 malloc

• 0x404224 _EH_prolog

• 0x404228 __dllonexit

• 0x40422c _onexit

• 0x404230 _exit

• 0x404234 __p__commode

• 0x404238 _adjust_fdiv

• 0x40423c __setusermatherr

• 0x404240 _initterm

• 0x404244 __getmainargs

• 0x404248 _acmdln

• 0x40424c exit

• 0x404250 _XcptFilter

• 0x404254 _controlfp

Library KERNEL32.dll:

• 0x40400c LocalFree

• 0x404010 GetProcAddress

• 0x404014 GetModuleHandleA

• 0x404018 GetStartupInfoA

• 0x40401c LoadLibraryA

• 0x404020 LocalAlloc

• 0x404024 VirtualAlloc

• 0x404028 LoadLibraryW

• 0x40402c FreeLibrary

Library USER32.dll:

• 0x40425c IsIconic

• 0x404260 GetSystemMetrics

• 0x404264 GetClientRect

• 0x404268 DrawIcon

• 0x40426c SendMessageA

• 0x404270 LoadIconA

• 0x404274 EnableWindow

• 0x404278 GetWindowRect

• 0x40427c RedrawWindow

• 0x404280 GetSysColor

Library GDI32.dll:

• 0x404000 Polygon

• 0x404004 CreatePen

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
r3---sn-j5o7dn7e.gvt1.com	CNAME r3.sn-j5o7dn7e.gvt1.com A 113.108.239.196	113.108.239.196
redirector.gvt1.com	A 203.208.41.65	203.208.41.65
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
r1---sn-j5o7dn7e.gvt1.com	A 113.108.239.194 CNAME r1.sn-j5o7dn7e.gvt1.com	113.108.239.194
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
update.googleapis.com	A 203.208.41.34	203.208.41.34
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49182	113.108.239.194 r1---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49183	113.108.239.196 r3---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49179	203.208.41.34 update.googleapis.com	443
192.168.56.101	49181	203.208.41.65 redirector.gvt1.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50002	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355
192.168.56.101	62191	224.0.0.252	5355
192.168.56.101	62318	224.0.0.252	5355
192.168.56.101	1900	239.255.255.250	1900

HTTP & HTTPS Requests

URI	Data
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=a6681797c21b89fa&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619657535&mv=m	GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=a6681797c21b89fa&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619657535&mv=m HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=0-6716 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=a6681797c21b89fa&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619657535&mv=m	GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=a6681797c21b89fa&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619657535&mv=m HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=6717-18918 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619657535&mv=m&mvi=1&pl=23&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619657535&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=a6681797c21b89fa&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619657535&mv=m	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=a6681797c21b89fa&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619657535&mv=m HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.