11.2
0-day
55 个模型检测该样本为恶意!
重新分析
更多

10a6747a6e27f6e9dd5c77806d3276eee355c5acdfbf42df206f40cf75829698

97d4bcac4112d2f5380acbeeda6f9235.exe

分析耗时

125s

最近分析

文件大小

268.0KB
静态报毒 动态报毒 100% AI SCORE=100 BBYKB CONFIDENCE DOWNLOADER34 ELDORADO EMOTET GDND GENERICKDZ GENETIC HFZB HIGH CONFIDENCE HUCSVI KRYPTIK MALWARE@#3T010CDRYBNGD OBFUSE QRYOC0YXLYU R + TROJ R049C0DI720 SCORE SUSGEN TROJANBANKER TROJANX UNSAFE VOBFUSAGENTHQ 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FSD!97D4BCAC4112 20201003 6.0.6.653
Alibaba Trojan:Win32/Emotet.1fe1985c 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:TrojanX-gen [Trj] 20201003 18.4.3895.0
Kingsoft 20201003 2013.8.14.323
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1620826579.225249
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (5 个事件)
Time & API Arguments Status Return Repeated
1620826568.193249
CryptGenKey
crypto_handle: 0x005c59f0
algorithm_identifier: 0x0000660e ()
provider_handle: 0x005c51f8
flags: 1
key: fò—¿n×#Œs:j'°†
success 1 0
1620826579.225249
CryptExportKey
crypto_handle: 0x005c59f0
crypto_export_handle: 0x005c59b0
buffer: f¤Ëbo/”e'áˆRQ{‘˨„•ð[N¸fäƒSz6¶ÿ ʔDMý;eß}X˜¹ŠÎ[®ËX³S$:jðօ¾ýÖ&he5Uö.ª$ aa1ú/ÃÜL Ì50{õ˜
blob_type: 1
flags: 64
success 1 0
1620826611.365249
CryptExportKey
crypto_handle: 0x005c59f0
crypto_export_handle: 0x005c59b0
buffer: f¤M‘ÔwøùÏYZðQNÙÏ^¬´*ló„rt#Îþê•û†¿¯ƒ2¹2»ÆºahK3Dw¹Œ)ïèešUö;N îgm&ü´ùÎËà‡®ÓV'¬­ISÈɈúó
blob_type: 1
flags: 64
success 1 0
1620826635.459249
CryptExportKey
crypto_handle: 0x005c59f0
crypto_export_handle: 0x005c59b0
buffer: f¤I`Wbøò -LCT lÊIeˆ¤l#좽K#oœó÷ú¬_–%­·ï®´Ž›8¾ù"a™ËÒ™§íY-†‘bdõvŠ›†JÂæ÷¶ñŁ–aCºš²§¦$*‡48ÛD
blob_type: 1
flags: 64
success 1 0
1620826641.225249
CryptExportKey
crypto_handle: 0x005c59f0
crypto_export_handle: 0x005c59b0
buffer: f¤%cGgä{!‰­´»ã4ºì~#Í"tÖåÌC a˜ð"ћ¥êO¹§¶¥Hu‰’Žˆ ${ÚJ$îCEëumuY‰;žM0!o΀ºÎ˜ïM?¿°­ö2t˜òU¬öÓìo
blob_type: 1
flags: 64
success 1 0
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name None
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:3970202781&cup2hreq=732dfe0439ee5c1f09f374d28d3be58b884378ae1e3b2009e0cfba39901c2e77
Performs some HTTP requests (5 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620797564&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=b82b78e45ec274e5&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620797564&mv=m&mvi=3
request GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=b82b78e45ec274e5&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620797564&mv=m&mvi=3
request POST https://update.googleapis.com/service/update2?cup2key=10:3970202781&cup2hreq=732dfe0439ee5c1f09f374d28d3be58b884378ae1e3b2009e0cfba39901c2e77
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:3970202781&cup2hreq=732dfe0439ee5c1f09f374d28d3be58b884378ae1e3b2009e0cfba39901c2e77
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1620826562.349876
NtAllocateVirtualMemory
process_identifier: 1688
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00500000
success 0 0
1620826192.290395
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000004180000
success 0 0
1620826567.881249
NtAllocateVirtualMemory
process_identifier: 1888
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00500000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (4 个事件)
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1620826562.364876
NtProtectVirtualMemory
process_identifier: 1688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 28672
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x00521000
success 0 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1620826563.114876
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\97d4bcac4112d2f5380acbeeda6f9235.exe
newfilepath: C:\Windows\SysWOW64\wsock32\XpsFilt.exe
newfilepath_r: C:\Windows\SysWOW64\wsock32\XpsFilt.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\97d4bcac4112d2f5380acbeeda6f9235.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620826584.162249
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 6.959926921745421 section {'size_of_data': '0x00010000', 'virtual_address': '0x00037000', 'entropy': 6.959926921745421, 'name': '.rsrc', 'virtual_size': '0x0000ffa8'} description A section with a high entropy has been found
entropy 0.24242424242424243 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process xpsfilt.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1620826579.740249
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (6 个事件)
host 118.2.218.1
host 172.217.24.14
host 5.9.227.244
host 51.254.140.91
host 51.75.163.68
host 203.208.41.98
Installs itself for autorun at Windows startup (1 个事件)
service_name XpsFilt service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\wsock32\XpsFilt.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1620826567.067876
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x02b57648
display_name: XpsFilt
error_control: 0
service_name: XpsFilt
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\wsock32\XpsFilt.exe"
filepath_r: "C:\Windows\SysWOW64\wsock32\XpsFilt.exe"
service_manager_handle: 0x02b89080
desired_access: 2
service_type: 16
password:
success 45446728 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1620826587.225249
RegSetValueExA
key_handle: 0x000003b4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1620826587.225249
RegSetValueExA
key_handle: 0x000003b4
value: €"ùF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1620826587.225249
RegSetValueExA
key_handle: 0x000003b4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1620826587.225249
RegSetValueExW
key_handle: 0x000003b4
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1620826587.225249
RegSetValueExA
key_handle: 0x000003d0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1620826587.225249
RegSetValueExA
key_handle: 0x000003d0
value: €"ùF×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1620826587.225249
RegSetValueExA
key_handle: 0x000003d0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1620826587.240249
RegSetValueExW
key_handle: 0x000003b0
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\wsock32\XpsFilt.exe:Zone.Identifier
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
Bkav W32.VobfusAgentHQ.Trojan
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.69924
FireEye Trojan.GenericKDZ.69924
Qihoo-360 Generic/Trojan.43c
McAfee Emotet-FSD!97D4BCAC4112
Cylance Unsafe
Zillya Trojan.Emotet.Win32.28359
Sangfor Malware
K7AntiVirus Trojan ( 0056dc831 )
Alibaba Trojan:Win32/Emotet.1fe1985c
K7GW Trojan ( 0056dc831 )
CrowdStrike win/malicious_confidence_100% (W)
Arcabit Trojan.Generic.D11124
Invincea Mal/Generic-R + Troj/Emotet-CLZ
Cyren W32/Kryptik.BWJ.gen!Eldorado
Symantec Packed.Generic.554
APEX Malicious
Avast Win32:TrojanX-gen [Trj]
ClamAV Win.Malware.Emotet-9753021-0
Kaspersky Trojan-Banker.Win32.Emotet.gdnd
BitDefender Trojan.GenericKDZ.69924
NANO-Antivirus Trojan.Win32.Emotet.hucsvi
Paloalto generic.ml
Ad-Aware Trojan.GenericKDZ.69924
Emsisoft Trojan.Emotet (A)
Comodo Malware@#3t010cdrybngd
F-Secure Trojan.TR/AD.Emotet.bbykb
DrWeb Trojan.DownLoader34.32692
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R049C0DI720
McAfee-GW-Edition BehavesLike.Win32.Emotet.dh
Sophos Troj/Emotet-CLZ
Jiangmin Trojan.Banker.Emotet.oic
Avira TR/AD.Emotet.bbykb
MAX malware (ai score=100)
Antiy-AVL Trojan[Banker]/Win32.Emotet
Microsoft Trojan:Win32/Emotet.ARK!MTB
AegisLab Trojan.Win32.Emotet.L!c
ZoneAlarm Trojan-Banker.Win32.Emotet.gdnd
GData Trojan.GenericKDZ.69924
Cynet Malicious (score: 100)
AhnLab-V3 Malware/Win32.Generic.C4192695
ALYac Trojan.Agent.Emotet
TACHYON Trojan/W32.Agent.274432.ALH
VBA32 TrojanBanker.Emotet
Malwarebytes Trojan.Agent
ESET-NOD32 a variant of Win32/Kryptik.HFZB
TrendMicro-HouseCall TROJ_GEN.R049C0DI720
Rising Downloader.Obfuse!8.105AD (TFE:6:qryoc0yxlYU)
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (8 个事件)
dead_host 172.217.160.110:443
dead_host 51.75.163.68:7080
dead_host 172.217.24.14:443
dead_host 51.254.140.91:7080
dead_host 5.9.227.244:8080
dead_host 192.168.56.101:49197
dead_host 118.2.218.1:80
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-09-05 01:03:35

Imports

Library KERNEL32.dll:
0x4260b4 RtlUnwind
0x4260b8 GetStartupInfoA
0x4260bc GetCommandLineA
0x4260c0 ExitProcess
0x4260c4 TerminateProcess
0x4260c8 HeapReAlloc
0x4260cc HeapSize
0x4260d0 HeapDestroy
0x4260d4 HeapCreate
0x4260d8 VirtualFree
0x4260dc IsBadWritePtr
0x4260e0 LCMapStringA
0x4260e4 LCMapStringW
0x4260e8 GetStdHandle
0x4260fc VirtualQuery
0x426100 SetHandleCount
0x426104 GetFileType
0x42610c GetCurrentProcessId
0x426118 GetStringTypeA
0x42611c GetStringTypeW
0x426124 IsBadReadPtr
0x426128 IsBadCodePtr
0x42612c SetStdHandle
0x426134 GetSystemInfo
0x426138 VirtualAlloc
0x42613c VirtualProtect
0x426140 HeapFree
0x426144 HeapAlloc
0x426148 GetTickCount
0x42614c GetFileTime
0x426150 GetFileAttributesA
0x426158 SetErrorMode
0x426160 GetOEMCP
0x426164 GetCPInfo
0x426168 CreateFileA
0x42616c GetFullPathNameA
0x426174 FindFirstFileA
0x426178 FindClose
0x42617c GetCurrentProcess
0x426180 DuplicateHandle
0x426184 GetFileSize
0x426188 SetEndOfFile
0x42618c UnlockFile
0x426190 LockFile
0x426194 FlushFileBuffers
0x426198 SetFilePointer
0x42619c WriteFile
0x4261a0 ReadFile
0x4261a4 GlobalFlags
0x4261a8 TlsFree
0x4261ac LocalReAlloc
0x4261b0 TlsSetValue
0x4261b4 TlsAlloc
0x4261b8 TlsGetValue
0x4261c0 GlobalHandle
0x4261c4 GlobalReAlloc
0x4261cc LocalAlloc
0x4261dc RaiseException
0x4261e0 GlobalGetAtomNameA
0x4261e4 GlobalFindAtomA
0x4261e8 lstrcatA
0x4261ec lstrcmpW
0x4261f8 FreeResource
0x4261fc CloseHandle
0x426200 GlobalAddAtomA
0x426204 GetCurrentThread
0x426208 GetCurrentThreadId
0x42620c FreeLibrary
0x426210 GlobalDeleteAtom
0x426214 lstrcmpA
0x426218 GetModuleFileNameA
0x42621c GetModuleHandleA
0x426228 lstrcpyA
0x42622c LoadLibraryA
0x426230 SetLastError
0x426234 GlobalFree
0x426238 MulDiv
0x42623c GlobalAlloc
0x426240 GlobalLock
0x426244 GlobalUnlock
0x426248 FormatMessageA
0x42624c lstrcpynA
0x426250 LocalFree
0x426254 LoadLibraryW
0x426258 GetProcAddress
0x42625c FindResourceA
0x426260 LoadResource
0x426264 LockResource
0x426268 SizeofResource
0x42626c CompareStringW
0x426270 CompareStringA
0x426274 lstrlenA
0x426278 lstrcmpiA
0x42627c GetVersion
0x426280 GetLastError
0x426284 WideCharToMultiByte
0x426288 MultiByteToWideChar
0x42628c GetVersionExA
0x426290 GetThreadLocale
0x426294 GetLocaleInfoA
0x426298 GetACP
0x4262a0 InterlockedExchange
Library USER32.dll:
0x4262f0 PostThreadMessageA
0x4262f4 MessageBeep
0x4262f8 GetNextDlgGroupItem
0x4262fc InvalidateRgn
0x426300 InvalidateRect
0x426308 SetRect
0x42630c IsRectEmpty
0x426310 CharNextA
0x426314 ReleaseCapture
0x426318 SetCapture
0x42631c LoadCursorA
0x426320 GetSysColorBrush
0x426324 EndPaint
0x426328 BeginPaint
0x42632c GetWindowDC
0x426330 ReleaseDC
0x426334 GetDC
0x426338 ClientToScreen
0x42633c GrayStringA
0x426340 DrawTextExA
0x426344 DrawTextA
0x426348 TabbedTextOutA
0x42634c ShowWindow
0x426350 MoveWindow
0x426354 SetWindowTextA
0x426358 IsDialogMessageA
0x426360 WinHelpA
0x426364 GetCapture
0x426368 CreateWindowExA
0x42636c GetClassLongA
0x426370 GetClassInfoExA
0x426374 GetClassNameA
0x426378 SetPropA
0x42637c GetPropA
0x426380 RemovePropA
0x426384 SendDlgItemMessageA
0x426388 SetFocus
0x42638c IsChild
0x426394 GetWindowTextA
0x426398 GetForegroundWindow
0x42639c GetTopWindow
0x4263a0 GetMessageTime
0x4263a4 MapWindowPoints
0x4263a8 SetForegroundWindow
0x4263ac UpdateWindow
0x4263b0 GetMenu
0x4263b4 AdjustWindowRectEx
0x4263b8 EqualRect
0x4263bc GetClassInfoA
0x4263c0 RegisterClassA
0x4263c4 UnregisterClassA
0x4263c8 GetDlgCtrlID
0x4263cc DefWindowProcA
0x4263d0 CallWindowProcA
0x4263d4 SetWindowLongA
0x4263d8 OffsetRect
0x4263dc IntersectRect
0x4263e0 GetWindowPlacement
0x4263e4 GetWindowRect
0x4263e8 PtInRect
0x4263ec CharUpperA
0x4263f0 DrawIcon
0x4263f4 AppendMenuA
0x4263f8 SendMessageA
0x4263fc GetSystemMenu
0x426400 IsIconic
0x426404 GetClientRect
0x426408 EnableWindow
0x42640c LoadIconA
0x426410 GetSystemMetrics
0x426414 GetSysColor
0x42641c DestroyMenu
0x426420 CopyRect
0x426424 UnhookWindowsHookEx
0x426428 GetWindow
0x426430 MapDialogRect
0x426434 SetWindowPos
0x426438 wsprintfA
0x42643c GetDesktopWindow
0x426440 SetActiveWindow
0x42644c DestroyWindow
0x426450 IsWindow
0x426454 GetDlgItem
0x426458 GetNextDlgTabItem
0x42645c EndDialog
0x426460 SetMenuItemBitmaps
0x426464 GetFocus
0x426468 ModifyMenuA
0x42646c EnableMenuItem
0x426470 CheckMenuItem
0x426478 LoadBitmapA
0x42647c GetMessagePos
0x426480 GetSubMenu
0x426484 GetMenuItemCount
0x426488 GetMenuItemID
0x42648c GetMenuState
0x426490 PostMessageA
0x426494 PostQuitMessage
0x426498 SetCursor
0x42649c IsWindowEnabled
0x4264a0 GetLastActivePopup
0x4264a4 GetWindowLongA
0x4264a8 GetParent
0x4264ac MessageBoxA
0x4264b0 ValidateRect
0x4264b4 GetCursorPos
0x4264b8 PeekMessageA
0x4264bc GetKeyState
0x4264c0 IsWindowVisible
0x4264c4 GetActiveWindow
0x4264c8 DispatchMessageA
0x4264cc TranslateMessage
0x4264d0 GetMessageA
0x4264d4 CallNextHookEx
0x4264d8 SetWindowsHookExA
Library GDI32.dll:
0x426030 GetBkColor
0x426034 GetTextColor
0x42603c GetRgnBox
0x426040 GetStockObject
0x426044 DeleteDC
0x426048 ExtSelectClipRgn
0x42604c ScaleWindowExtEx
0x426050 SetWindowExtEx
0x426054 ScaleViewportExtEx
0x426058 SetViewportExtEx
0x42605c OffsetViewportOrgEx
0x426060 SetViewportOrgEx
0x426064 SelectObject
0x426068 Escape
0x42606c TextOutA
0x426070 RectVisible
0x426074 GetMapMode
0x426078 GetDeviceCaps
0x42607c GetWindowExtEx
0x426080 GetViewportExtEx
0x426084 DeleteObject
0x426088 SetMapMode
0x42608c RestoreDC
0x426090 SaveDC
0x426094 SetBkColor
0x426098 SetTextColor
0x42609c GetClipBox
0x4260a0 ExtTextOutA
0x4260a4 GetObjectA
0x4260a8 CreateBitmap
0x4260ac PtVisible
Library comdlg32.dll:
0x4264f0 GetFileTitleA
Library WINSPOOL.DRV:
0x4264e0 OpenPrinterA
0x4264e4 DocumentPropertiesA
0x4264e8 ClosePrinter
Library ADVAPI32.dll:
0x426000 RegQueryValueExA
0x426004 RegCreateKeyExA
0x426008 RegSetValueExA
0x42600c RegOpenKeyA
0x426010 RegOpenKeyExA
0x426014 RegDeleteKeyA
0x426018 RegEnumKeyA
0x42601c RegQueryValueA
0x426020 RegCloseKey
Library COMCTL32.dll:
0x426028
Library SHLWAPI.dll:
0x4262dc PathFindFileNameA
0x4262e0 PathStripToRootA
0x4262e4 PathFindExtensionA
0x4262e8 PathIsUNCA
Library oledlg.dll:
0x426538
Library ole32.dll:
0x426504 CoGetClassObject
0x426508 CLSIDFromString
0x42650c CLSIDFromProgID
0x426510 CoTaskMemFree
0x426514 OleUninitialize
0x426520 OleFlushClipboard
0x426528 CoRevokeClassObject
0x42652c CoTaskMemAlloc
0x426530 OleInitialize
Library OLEAUT32.dll:
0x4262a8 SysAllocStringLen
0x4262ac VariantClear
0x4262b0 VariantChangeType
0x4262b4 VariantInit
0x4262b8 SysStringLen
0x4262c8 SafeArrayDestroy
0x4262cc SysAllocString
0x4262d0 VariantCopy
0x4262d4 SysFreeString

Exports

Ordinal Address Name
1 0x401545 UUACZDADWAJJJJJ

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49199 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49200 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49198 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49194 203.208.41.66 update.googleapis.com 443
203.208.41.98 443 192.168.56.101 49187

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54991 224.0.0.252 5355
192.168.56.101 55169 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=b82b78e45ec274e5&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620797564&mv=m&mvi=3 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=b82b78e45ec274e5&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620797564&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=33271-52558
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620797564&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620797564&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=b82b78e45ec274e5&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620797564&mv=m&mvi=3 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=b82b78e45ec274e5&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620797564&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-7458
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=b82b78e45ec274e5&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620797564&mv=m&mvi=3 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=b82b78e45ec274e5&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620797564&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=19035-33270
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=b82b78e45ec274e5&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620797564&mv=m&mvi=3 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=b82b78e45ec274e5&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620797564&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=52559-72023
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=b82b78e45ec274e5&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620797564&mv=m&mvi=3 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=b82b78e45ec274e5&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620797564&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=7459-19034
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=b82b78e45ec274e5&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620797564&mv=m&mvi=3 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=b82b78e45ec274e5&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620797564&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.