SmartHawk

11.2

0-day

56 个模型检测该样本为恶意！

重新分析

下载样本

9b35408ca7fc6cbc2185a36d5e5665e6f47c168c5d074cc848916bf1c8b96d0d

a2e1f2f64fb09b8a4e772a5a734e5b33.exe

分析耗时

125s

最近分析

文件大小

669.5KB

静态报毒动态报毒 100% ABFWP AI SCORE=83 BANKERX CLASSIC CONFIDENCE D2C3T2DB2I0 DOWNLOADER33 ELDORADO EMOTET EMOTETU FAMVT GENCIRC HCYH HIGH CONFIDENCE HJIUWB KRYPT KRYPTIK MALWARE@#3G0ZHDGMO1079 MIDGAREF PQW@A0ZCHZOI PQW@B0ZCHZOI R066C0DIK20 R334227 SCORE SUSGEN TROJANBANKER UNSAFE ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
Alibaba	Trojan:Win32/Emotet.5b7cd4ed	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:BankerX-gen [Trj]	20201229	21.1.5827.0
Kingsoft		20201229	2017.9.26.565
McAfee	Emotet-FQQ!A2E1F2F64FB0	20201229	6.0.6.653
Tencent	Malware.Win32.Gencirc.10b9eb46	20201229	1.0.0.1
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619809480.703374 GetComputerNameA	computer_name: OSKAR-PC	success	1	0

Uses Windows APIs to generate a cryptographic key (5 个事件)

Time & API	Arguments	Status	Return
1619809471.344374 CryptGenKey	crypto_handle: 0x0064a7f0 algorithm_identifier: 0x0000660e () provider_handle: 0x00649b48 flags: 1 key: f@«¾{ÐhUÈõHr¨¿j	success	1
1619809480.766374 CryptExportKey	crypto_handle: 0x0064a7f0 crypto_export_handle: 0x00649c10 buffer: f¤ËFÂtîâ*¥Kn~k©è9)C'Ï¤·%Ügµ5lÞDuî`¹U i1O·&ªÛÀÙ§<ª/L{r u>JíTfª#«óÃ´W_C=øxAÑÏ blob_type: 1 flags: 64	success	1
1619809488.031374 CryptExportKey	crypto_handle: 0x0064a7f0 crypto_export_handle: 0x00649c10 buffer: f¤[p{B_Up Å¨¤lú~qS£CÅNftÞ ZÕÍ6¨öVÔû®ýþÛ¸wc\|©D¡Lîaï¸W1ØÀ!Æ$ixV6 KåØ,j`:ìl{»RS {1÷mlHt blob_type: 1 flags: 64	success	1
1619809492.297374 CryptExportKey	crypto_handle: 0x0064a7f0 crypto_export_handle: 0x00649c10 buffer: f¤j'ÄÒý!¿2ÐpHOD¨°ä-3í!*éDj«8^\|ÑpÃÆóökØA.ñè( x±J¼Òâ¬#"æ²µXÀ$¢¤Ê1È ~<7`x/¯ £å±Bi0Rê³°?& blob_type: 1 flags: 64	success	1
1619809514.703374 CryptExportKey	crypto_handle: 0x0064a7f0 crypto_export_handle: 0x00649c10 buffer: f¤G-Ú$Kz.®jVPõ7ýº-ü·Ö~bàÅãyw;l/l9o#þüÂ¨&lS=qäÿ<IjÃÇ]fcIYW£¨!c"eLÿbtÕ blob_type: 1 flags: 64	success	1

This executable has a PDB path (1 个事件)

pdb_path

c:\Users\User\Desktop\2008\24.4.20\GDIPlusBrushes_src\GDI Plus Brushes\Release\GDI Plus Brushes.pdb

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:827237873&cup2hreq=7de369870661b523a05906e199c2b5cdf5242f56e29a9fb583f4f5f73bb69e45

Performs some HTTP requests (4 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619780417&mv=m&mvi=1&pl=23&shardbypass=yes
request	HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=283dc48e846640dc&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619780417&mv=m
request	POST https://update.googleapis.com/service/update2?cup2key=10:827237873&cup2hreq=7de369870661b523a05906e199c2b5cdf5242f56e29a9fb583f4f5f73bb69e45

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:827237873&cup2hreq=7de369870661b523a05906e199c2b5cdf5242f56e29a9fb583f4f5f73bb69e45

Allocates read-write-execute memory (usually to unpack itself) (3 个事件)

Time & API	Arguments	Status
1619809453.798249 NtAllocateVirtualMemory	process_identifier: 920 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00660000	success
1619809073.473271 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000004140000	success
1619809461.188374 NtAllocateVirtualMemory	process_identifier: 1380 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005c0000	success

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Foreign language identified in PE resource (5 个事件)

name

RT_ICON

language

LANG_ENGLISH

offset

0x000a1354

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ENGLISH_AUS

size

0x00000128

name

RT_ICON

language

LANG_ENGLISH

offset

0x000a1354

filetype

GLS_BINARY_LSB_FIRST

sublanguage

SUBLANG_ENGLISH_AUS

size

0x00000128

name

RT_MENU

language

LANG_ENGLISH

offset

0x000a147c

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

size

0x0000016e

name

RT_RCDATA

language

LANG_ENGLISH

offset

0x000a3428

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

size

0x00009f44

name

RT_GROUP_ICON

language

LANG_ENGLISH

offset

0x000ad4a8

filetype

data

sublanguage

SUBLANG_ENGLISH_AUS

size

0x00000022

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619809514.672374 Process32NextW	process_name: inject-x64.exe snapshot_handle: 0x000003f0 process_identifier: 3184	success	1	0

Moves the original executable to a new location (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619809458.907249 MoveFileWithProgressW	oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a2e1f2f64fb09b8a4e772a5a734e5b33.exe newfilepath: C:\Windows\SysWOW64\KBDIT142\KBDIT142.exe newfilepath_r: C:\Windows\SysWOW64\KBDIT142\KBDIT142.exe flags: 3 oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a2e1f2f64fb09b8a4e772a5a734e5b33.exe	success	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619809481.188374 GetAdaptersAddresses	flags: 0 family: 0	failed	111	0

The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)

entropy

7.220554180940116

section

{'size_of_data': '0x0000e800', 'virtual_address': '0x0009f000', 'entropy': 7.220554180940116, 'name': '.rsrc', 'virtual_size': '0x0000e628'}

description

A section with a high entropy has been found

Expresses interest in specific running processes (1 个事件)

process

kbdit142.exe

Reads the systems User Agent and subsequently performs requests (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619809480.922374 InternetOpenW	proxy_bypass: access_type: 0 proxy_name: flags: 0 user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)	success	13369348	0

Communicates with host for which no DNS query was performed (5 个事件)

host	103.31.232.93
host	152.170.196.157
host	172.217.24.14
host	200.123.183.137
host	201.213.100.141

Installs itself for autorun at Windows startup (1 个事件)

service_name

KBDIT142

service_path

C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\KBDIT142\KBDIT142.exe"

Created a service where a service was also not started (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619809460.064249 CreateServiceW	service_start_name: start_type: 2 service_handle: 0x0097f730 display_name: KBDIT142 error_control: 0 service_name: KBDIT142 filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\KBDIT142\KBDIT142.exe" filepath_r: "C:\Windows\SysWOW64\KBDIT142\KBDIT142.exe" service_manager_handle: 0x009fdc50 desired_access: 2 service_type: 16 password:	success	9959216	0

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)

Time & API	Arguments	Status
1619809483.750374 RegSetValueExA	key_handle: 0x000003d0 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1619809483.750374 RegSetValueExA	key_handle: 0x000003d0 value: pÏ'Ò=× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1619809483.750374 RegSetValueExA	key_handle: 0x000003d0 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1619809483.750374 RegSetValueExW	key_handle: 0x000003d0 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1619809483.750374 RegSetValueExA	key_handle: 0x000003e8 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1619809483.750374 RegSetValueExA	key_handle: 0x000003e8 value: pÏ'Ò=× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1619809483.750374 RegSetValueExA	key_handle: 0x000003e8 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1619809483.750374 RegSetValueExW	key_handle: 0x000003cc value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success

Attempts to remove evidence of file being downloaded from the Internet (1 个事件)

file	C:\Windows\SysWOW64\KBDIT142\KBDIT142.exe:Zone.Identifier

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

Bkav	W32.FamVT.MidgareF.Trojan
Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.EmotetU.Gen.PqW@b0zChZoi
Qihoo-360	Generic/Trojan.4a0
ALYac	Trojan.EmotetU.Gen.PqW@b0zChZoi
Cylance	Unsafe
Sangfor	Malware
K7AntiVirus	Trojan ( 005657081 )
Alibaba	Trojan:Win32/Emotet.5b7cd4ed
K7GW	Trojan ( 005657081 )
Cybereason	malicious.64fb09
Arcabit	Trojan.EmotetU.Gen.E7E4C8
Cyren	W32/Emotet.AKC.gen!Eldorado
Symantec	Trojan.Emotet
APEX	Malicious
Avast	Win32:BankerX-gen [Trj]
ClamAV	Win.Malware.Emotet-7702424-0
Kaspersky	HEUR:Trojan-Banker.Win32.Emotet.gen
BitDefender	Trojan.EmotetU.Gen.PqW@b0zChZoi
NANO-Antivirus	Trojan.Win32.Kryptik.hjiuwb
Paloalto	generic.ml
AegisLab	Trojan.Win32.Emotet.L!c
Rising	Trojan.Kryptik!1.C71F (CLASSIC)
Ad-Aware	Trojan.EmotetU.Gen.PqW@b0zChZoi
Sophos	Mal/Generic-S
Comodo	Malware@#3g0zhdgmo1079
F-Secure	Trojan.TR/AD.Emotet.abfwp
DrWeb	Trojan.DownLoader33.36979
VIPRE	Trojan.Win32.Generic!BT
TrendMicro	TROJ_GEN.R066C0DIK20
McAfee-GW-Edition	BehavesLike.Win32.Emotet.jh
FireEye	Generic.mg.a2e1f2f64fb09b8a
Emsisoft	Trojan.Emotet (A)
Ikarus	Trojan.Win32.Krypt
Jiangmin	Trojan.Banker.Emotet.nqb
Avira	TR/AD.Emotet.abfwp
MAX	malware (ai score=83)
Antiy-AVL	Trojan/Win32.Emotet
Microsoft	Trojan:Win32/Emotet.DDZ!MTB
ZoneAlarm	HEUR:Trojan-Banker.Win32.Emotet.gen
GData	Trojan.EmotetU.Gen.PqW@b0zChZoi
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win32.Emotet.R334227
McAfee	Emotet-FQQ!A2E1F2F64FB0
VBA32	TrojanBanker.Emotet
Malwarebytes	Trojan.Emotet
ESET-NOD32	a variant of Win32/Kryptik.HCYH
TrendMicro-HouseCall	TrojanSpy.Win32.EMOTET.SMT.hp
Tencent	Malware.Win32.Gencirc.10b9eb46
Yandex	Trojan.Kryptik!D2c3t2Db2i0

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (8 个事件)

dead_host	172.217.160.110:443
dead_host	172.217.24.14:443
dead_host	103.31.232.93:443
dead_host	201.213.100.141:8080
dead_host	152.170.196.157:443
dead_host	200.123.183.137:443
dead_host	192.168.56.101:49182
dead_host	192.168.56.101:49184

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-04-25 03:19:45

Imports

Library gdiplus.dll:

• 0x47a7e0 GdipAlloc

• 0x47a7e4 GdipTranslateTextureTransform

• 0x47a7e8 GdipScaleTextureTransform

• 0x47a7ec GdipRotateTextureTransform

• 0x47a7f0 GdipSetTextureWrapMode

• 0x47a7f4 GdipSetLineBlend

• 0x47a7f8 GdipSetLineSigmaBlend

• 0x47a7fc GdipSetLineLinearBlend

• 0x47a800 GdipTranslateLineTransform

• 0x47a804 GdipScaleLineTransform

• 0x47a808 GdipCreatePen1

• 0x47a80c GdipDeletePen

• 0x47a810 GdipDeleteGraphics

• 0x47a814 GdipLoadImageFromFile

• 0x47a818 GdipLoadImageFromFileICM

• 0x47a81c GdipFree

• 0x47a820 GdipGetImageWidth

• 0x47a824 GdipGetImageHeight

• 0x47a828 GdipCreateSolidFill

• 0x47a82c GdipCreateTextureIAI

• 0x47a830 GdipCreateLineBrushFromRectWithAngleI

• 0x47a834 GdipCreateFromHDC

• 0x47a838 GdipTranslateWorldTransform

• 0x47a83c GdipScaleWorldTransform

• 0x47a840 GdipRotateWorldTransform

• 0x47a844 GdipDrawLineI

• 0x47a848 GdipFillRectangleI

• 0x47a84c GdipFillEllipseI

• 0x47a850 GdipCloneBrush

• 0x47a854 GdipCloneImage

• 0x47a858 GdipDeleteBrush

• 0x47a85c GdiplusStartup

• 0x47a860 GdipDisposeImage

• 0x47a864 GdiplusShutdown

Library KERNEL32.dll:

• 0x47a1a8 GetThreadLocale

• 0x47a1ac lstrcmpiA

• 0x47a1b0 ReadFile

• 0x47a1b4 WriteFile

• 0x47a1b8 SetFilePointer

• 0x47a1bc FlushFileBuffers

• 0x47a1c0 LockFile

• 0x47a1c4 UnlockFile

• 0x47a1c8 SetEndOfFile

• 0x47a1cc GetFileSize

• 0x47a1d0 DuplicateHandle

• 0x47a1d4 GetCurrentProcess

• 0x47a1d8 FindClose

• 0x47a1dc FindFirstFileA

• 0x47a1e0 GetVolumeInformationA

• 0x47a1e4 GetFullPathNameA

• 0x47a1e8 GetShortPathNameA

• 0x47a1ec CreateFileA

• 0x47a1f0 GetCPInfo

• 0x47a1f4 GetOEMCP

• 0x47a1f8 GetAtomNameA

• 0x47a1fc GetModuleHandleW

• 0x47a200 FileTimeToSystemTime

• 0x47a204 SystemTimeToFileTime

• 0x47a208 SetErrorMode

• 0x47a20c FileTimeToLocalFileTime

• 0x47a210 LocalFileTimeToFileTime

• 0x47a214 GetStringTypeExA

• 0x47a218 SetFileAttributesA

• 0x47a21c GetFileAttributesA

• 0x47a220 GetFileSizeEx

• 0x47a224 GetFileTime

• 0x47a228 GetTickCount

• 0x47a22c RtlUnwind

• 0x47a230 RaiseException

• 0x47a234 GetCommandLineA

• 0x47a238 GetStartupInfoA

• 0x47a23c HeapAlloc

• 0x47a240 HeapFree

• 0x47a244 Sleep

• 0x47a248 ExitProcess

• 0x47a24c ExitThread

• 0x47a250 CreateThread

• 0x47a254 VirtualProtect

• 0x47a258 VirtualAlloc

• 0x47a25c GetSystemInfo

• 0x47a260 VirtualQuery

• 0x47a264 HeapReAlloc

• 0x47a268 HeapSize

• 0x47a26c TerminateProcess

• 0x47a270 UnhandledExceptionFilter

• 0x47a274 SetUnhandledExceptionFilter

• 0x47a278 IsDebuggerPresent

• 0x47a27c GetStdHandle

• 0x47a280 FreeEnvironmentStringsA

• 0x47a284 GetEnvironmentStrings

• 0x47a288 FreeEnvironmentStringsW

• 0x47a28c GetEnvironmentStringsW

• 0x47a290 SetHandleCount

• 0x47a294 GetFileType

• 0x47a298 HeapCreate

• 0x47a29c HeapDestroy

• 0x47a2a0 VirtualFree

• 0x47a2a4 QueryPerformanceCounter

• 0x47a2a8 GetSystemTimeAsFileTime

• 0x47a2ac FatalAppExitA

• 0x47a2b0 SetConsoleCtrlHandler

• 0x47a2b4 InitializeCriticalSectionAndSpinCount

• 0x47a2b8 GetACP

• 0x47a2bc IsValidCodePage

• 0x47a2c0 GetStringTypeA

• 0x47a2c4 GetStringTypeW

• 0x47a2c8 GetTimeZoneInformation

• 0x47a2cc GetLocaleInfoW

• 0x47a2d0 GetConsoleCP

• 0x47a2d4 GetConsoleMode

• 0x47a2d8 LCMapStringA

• 0x47a2dc LCMapStringW

• 0x47a2e0 GetTimeFormatA

• 0x47a2e4 GetDateFormatA

• 0x47a2e8 GetUserDefaultLCID

• 0x47a2ec EnumSystemLocalesA

• 0x47a2f0 IsValidLocale

• 0x47a2f4 SetStdHandle

• 0x47a2f8 WriteConsoleA

• 0x47a2fc GetConsoleOutputCP

• 0x47a300 WriteConsoleW

• 0x47a304 CompareStringW

• 0x47a308 SetEnvironmentVariableA

• 0x47a30c DeleteFileA

• 0x47a310 MoveFileA

• 0x47a314 InterlockedIncrement

• 0x47a318 TlsFree

• 0x47a31c DeleteCriticalSection

• 0x47a320 LocalReAlloc

• 0x47a324 TlsSetValue

• 0x47a328 TlsAlloc

• 0x47a32c InitializeCriticalSection

• 0x47a330 GlobalHandle

• 0x47a334 GlobalReAlloc

• 0x47a338 EnterCriticalSection

• 0x47a33c TlsGetValue

• 0x47a340 LeaveCriticalSection

• 0x47a344 LocalAlloc

• 0x47a348 GlobalFlags

• 0x47a34c GetCurrentDirectoryA

• 0x47a350 GetPrivateProfileStringA

• 0x47a354 WritePrivateProfileStringA

• 0x47a358 GetPrivateProfileIntA

• 0x47a35c InterlockedDecrement

• 0x47a360 GetModuleFileNameW

• 0x47a364 CopyFileA

• 0x47a368 GlobalSize

• 0x47a36c FormatMessageA

• 0x47a370 LocalFree

• 0x47a374 lstrlenW

• 0x47a378 MulDiv

• 0x47a37c lstrlenA

• 0x47a380 GlobalGetAtomNameA

• 0x47a384 GlobalFindAtomA

• 0x47a388 MultiByteToWideChar

• 0x47a38c lstrcmpW

• 0x47a390 GetVersionExA

• 0x47a394 GlobalUnlock

• 0x47a398 GlobalFree

• 0x47a39c FreeResource

• 0x47a3a0 GetCurrentProcessId

• 0x47a3a4 GetLastError

• 0x47a3a8 SetLastError

• 0x47a3ac GlobalAddAtomA

• 0x47a3b0 CreateEventA

• 0x47a3b4 SuspendThread

• 0x47a3b8 SetEvent

• 0x47a3bc WaitForSingleObject

• 0x47a3c0 ResumeThread

• 0x47a3c4 SetThreadPriority

• 0x47a3c8 CloseHandle

• 0x47a3cc GlobalDeleteAtom

• 0x47a3d0 GetCurrentThread

• 0x47a3d4 GetCurrentThreadId

• 0x47a3d8 ConvertDefaultLocale

• 0x47a3dc EnumResourceLanguagesA

• 0x47a3e0 GetModuleFileNameA

• 0x47a3e4 GetLocaleInfoA

• 0x47a3e8 LoadLibraryA

• 0x47a3ec CompareStringA

• 0x47a3f0 InterlockedExchange

• 0x47a3f4 GlobalLock

• 0x47a3f8 lstrcmpA

• 0x47a3fc GlobalAlloc

• 0x47a400 FreeLibrary

• 0x47a404 GetModuleHandleA

• 0x47a408 GetProcAddress

• 0x47a40c LoadLibraryExW

• 0x47a410 WideCharToMultiByte

• 0x47a414 FindResourceA

• 0x47a418 LoadResource

• 0x47a41c LockResource

• 0x47a420 SizeofResource

• 0x47a424 SetFileTime

Library USER32.dll:

• 0x47a508 GetMenuItemInfoA

• 0x47a50c DestroyMenu

• 0x47a510 FillRect

• 0x47a514 TabbedTextOutA

• 0x47a518 DrawTextA

• 0x47a51c DrawTextExA

• 0x47a520 GrayStringA

• 0x47a524 ClientToScreen

• 0x47a528 GetDC

• 0x47a52c ReleaseDC

• 0x47a530 GetWindowDC

• 0x47a534 BeginPaint

• 0x47a538 EndPaint

• 0x47a53c DeleteMenu

• 0x47a540 SetCapture

• 0x47a544 WindowFromPoint

• 0x47a548 LoadCursorA

• 0x47a54c ReleaseCapture

• 0x47a550 WaitMessage

• 0x47a554 GetSysColorBrush

• 0x47a558 DestroyIcon

• 0x47a55c CharUpperA

• 0x47a560 GetDialogBaseUnits

• 0x47a564 CharNextA

• 0x47a568 CopyAcceleratorTableA

• 0x47a56c IsRectEmpty

• 0x47a570 SetRect

• 0x47a574 InvalidateRgn

• 0x47a578 GetNextDlgGroupItem

• 0x47a57c MessageBeep

• 0x47a580 UnregisterClassA

• 0x47a584 SetRectEmpty

• 0x47a588 TranslateAcceleratorA

• 0x47a58c BringWindowToTop

• 0x47a590 CreatePopupMenu

• 0x47a594 InsertMenuItemA

• 0x47a598 LoadAcceleratorsA

• 0x47a59c GetMenuBarInfo

• 0x47a5a0 LoadMenuA

• 0x47a5a4 ReuseDDElParam

• 0x47a5a8 UnpackDDElParam

• 0x47a5ac RegisterClipboardFormatA

• 0x47a5b0 SetTimer

• 0x47a5b4 KillTimer

• 0x47a5b8 GetKeyNameTextA

• 0x47a5bc MapVirtualKeyA

• 0x47a5c0 SetParent

• 0x47a5c4 UnionRect

• 0x47a5c8 PostThreadMessageA

• 0x47a5cc GetDCEx

• 0x47a5d0 LockWindowUpdate

• 0x47a5d4 GetDlgItemTextA

• 0x47a5d8 GetDlgItemInt

• 0x47a5dc CheckRadioButton

• 0x47a5e0 CheckDlgButton

• 0x47a5e4 RegisterWindowMessageA

• 0x47a5e8 SendDlgItemMessageA

• 0x47a5ec WinHelpA

• 0x47a5f0 IsChild

• 0x47a5f4 GetCapture

• 0x47a5f8 GetClassLongA

• 0x47a5fc GetClassNameA

• 0x47a600 SetPropA

• 0x47a604 GetPropA

• 0x47a608 RemovePropA

• 0x47a60c SetFocus

• 0x47a610 GetWindowTextLengthA

• 0x47a614 GetWindowTextA

• 0x47a618 GetForegroundWindow

• 0x47a61c BeginDeferWindowPos

• 0x47a620 EndDeferWindowPos

• 0x47a624 GetTopWindow

• 0x47a628 UnhookWindowsHookEx

• 0x47a62c GetMessageTime

• 0x47a630 GetMessagePos

• 0x47a634 MapWindowPoints

• 0x47a638 ScrollWindow

• 0x47a63c TrackPopupMenuEx

• 0x47a640 TrackPopupMenu

• 0x47a644 InflateRect

• 0x47a648 SetScrollRange

• 0x47a64c GetScrollRange

• 0x47a650 SetScrollPos

• 0x47a654 GetScrollPos

• 0x47a658 SetForegroundWindow

• 0x47a65c ShowScrollBar

• 0x47a660 UpdateWindow

• 0x47a664 CreateWindowExA

• 0x47a668 GetClassInfoExA

• 0x47a66c GetClassInfoA

• 0x47a670 RegisterClassA

• 0x47a674 GetSysColor

• 0x47a678 AdjustWindowRectEx

• 0x47a67c ScreenToClient

• 0x47a680 EqualRect

• 0x47a684 DeferWindowPos

• 0x47a688 GetScrollInfo

• 0x47a68c SetScrollInfo

• 0x47a690 CopyRect

• 0x47a694 PtInRect

• 0x47a698 SetWindowPlacement

• 0x47a69c GetDlgCtrlID

• 0x47a6a0 DefWindowProcA

• 0x47a6a4 CallWindowProcA

• 0x47a6a8 GetMenu

• 0x47a6ac SetWindowLongA

• 0x47a6b0 OffsetRect

• 0x47a6b4 IntersectRect

• 0x47a6b8 SystemParametersInfoA

• 0x47a6bc GetWindowPlacement

• 0x47a6c0 GetWindow

• 0x47a6c4 SetWindowContextHelpId

• 0x47a6c8 MapDialogRect

• 0x47a6cc SetWindowPos

• 0x47a6d0 GetDesktopWindow

• 0x47a6d4 SetActiveWindow

• 0x47a6d8 CreateDialogIndirectParamA

• 0x47a6dc DestroyWindow

• 0x47a6e0 IsWindow

• 0x47a6e4 GetDlgItem

• 0x47a6e8 GetNextDlgTabItem

• 0x47a6ec EndDialog

• 0x47a6f0 GetWindowThreadProcessId

• 0x47a6f4 GetWindowLongA

• 0x47a6f8 GetLastActivePopup

• 0x47a6fc IsWindowEnabled

• 0x47a700 MessageBoxA

• 0x47a704 ShowOwnedPopups

• 0x47a708 SetCursor

• 0x47a70c SetWindowsHookExA

• 0x47a710 CallNextHookEx

• 0x47a714 GetMessageA

• 0x47a718 TranslateMessage

• 0x47a71c DispatchMessageA

• 0x47a720 GetActiveWindow

• 0x47a724 IsWindowVisible

• 0x47a728 GetKeyState

• 0x47a72c PeekMessageA

• 0x47a730 GetCursorPos

• 0x47a734 ValidateRect

• 0x47a738 SetMenuItemBitmaps

• 0x47a73c GetMenuCheckMarkDimensions

• 0x47a740 LoadBitmapA

• 0x47a744 GetFocus

• 0x47a748 GetParent

• 0x47a74c ModifyMenuA

• 0x47a750 GetMenuState

• 0x47a754 EnableMenuItem

• 0x47a758 CheckMenuItem

• 0x47a75c PostMessageA

• 0x47a760 PostQuitMessage

• 0x47a764 GetSystemMetrics

• 0x47a768 LoadIconA

• 0x47a76c EnableWindow

• 0x47a770 InvalidateRect

• 0x47a774 GetClientRect

• 0x47a778 IsIconic

• 0x47a77c GetSystemMenu

• 0x47a780 SendMessageA

• 0x47a784 GetSubMenu

• 0x47a788 GetMenuItemID

• 0x47a78c GetMenuStringA

• 0x47a790 InsertMenuA

• 0x47a794 RemoveMenu

• 0x47a798 ScrollWindowEx

• 0x47a79c ShowWindow

• 0x47a7a0 MoveWindow

• 0x47a7a4 SetWindowTextA

• 0x47a7a8 IsDialogMessageA

• 0x47a7ac IsDlgButtonChecked

• 0x47a7b0 SetDlgItemTextA

• 0x47a7b4 SetMenu

• 0x47a7b8 SetDlgItemInt

• 0x47a7bc GetMenuItemCount

• 0x47a7c0 AppendMenuA

• 0x47a7c4 DrawIcon

• 0x47a7c8 GetWindowRect

Library GDI32.dll:

• 0x47a03c RestoreDC

• 0x47a040 SetBkMode

• 0x47a044 SetPolyFillMode

• 0x47a048 SetROP2

• 0x47a04c SetStretchBltMode

• 0x47a050 SetGraphicsMode

• 0x47a054 SetWorldTransform

• 0x47a058 ModifyWorldTransform

• 0x47a05c SetMapMode

• 0x47a060 ExcludeClipRect

• 0x47a064 IntersectClipRect

• 0x47a068 OffsetClipRgn

• 0x47a06c LineTo

• 0x47a070 MoveToEx

• 0x47a074 SetTextAlign

• 0x47a078 SetTextJustification

• 0x47a07c SetTextCharacterExtra

• 0x47a080 SetMapperFlags

• 0x47a084 SetArcDirection

• 0x47a088 SetColorAdjustment

• 0x47a08c PtVisible

• 0x47a090 RectVisible

• 0x47a094 TextOutA

• 0x47a098 Escape

• 0x47a09c SelectObject

• 0x47a0a0 SetViewportOrgEx

• 0x47a0a4 OffsetViewportOrgEx

• 0x47a0a8 SetViewportExtEx

• 0x47a0ac ScaleViewportExtEx

• 0x47a0b0 SetWindowOrgEx

• 0x47a0b4 OffsetWindowOrgEx

• 0x47a0b8 SetWindowExtEx

• 0x47a0bc ScaleWindowExtEx

• 0x47a0c0 SaveDC

• 0x47a0c4 ArcTo

• 0x47a0c8 ExtTextOutA

• 0x47a0cc PolyDraw

• 0x47a0d0 PolylineTo

• 0x47a0d4 PolyBezierTo

• 0x47a0d8 ExtSelectClipRgn

• 0x47a0dc DeleteDC

• 0x47a0e0 CreateDIBPatternBrushPt

• 0x47a0e4 CreatePatternBrush

• 0x47a0e8 GetStockObject

• 0x47a0ec SelectPalette

• 0x47a0f0 PlayMetaFileRecord

• 0x47a0f4 GetObjectType

• 0x47a0f8 EnumMetaFile

• 0x47a0fc PlayMetaFile

• 0x47a100 CreatePen

• 0x47a104 ExtCreatePen

• 0x47a108 CreateSolidBrush

• 0x47a10c CreateHatchBrush

• 0x47a110 GetTextMetricsA

• 0x47a114 GetBkColor

• 0x47a118 GetTextColor

• 0x47a11c CreateRectRgnIndirect

• 0x47a120 GetRgnBox

• 0x47a124 GetCharWidthA

• 0x47a128 CreateFontA

• 0x47a12c StretchDIBits

• 0x47a130 CreateCompatibleBitmap

• 0x47a134 SetRectRgn

• 0x47a138 CombineRgn

• 0x47a13c GetMapMode

• 0x47a140 PatBlt

• 0x47a144 DPtoLP

• 0x47a148 GetCurrentPositionEx

• 0x47a14c GetTextExtentPoint32A

• 0x47a150 GetWindowExtEx

• 0x47a154 GetViewportExtEx

• 0x47a158 SelectClipPath

• 0x47a15c CreateRectRgn

• 0x47a160 BitBlt

• 0x47a164 CreateCompatibleDC

• 0x47a168 CreateFontIndirectA

• 0x47a16c CreateDCA

• 0x47a170 CopyMetaFileA

• 0x47a174 GetDeviceCaps

• 0x47a178 GetObjectA

• 0x47a17c SetBkColor

• 0x47a180 SetTextColor

• 0x47a184 GetClipBox

• 0x47a188 GetDCOrgEx

• 0x47a18c GetPixel

• 0x47a190 CreateBitmap

• 0x47a194 GetClipRgn

• 0x47a198 SelectClipRgn

• 0x47a19c DeleteObject

• 0x47a1a0 StartDocA

Library COMDLG32.dll:

• 0x47a034 GetFileTitleA

Library WINSPOOL.DRV:

• 0x47a7d0 DocumentPropertiesA

• 0x47a7d4 ClosePrinter

• 0x47a7d8 OpenPrinterA

Library ADVAPI32.dll:

• 0x47a000 RegDeleteValueA

• 0x47a004 RegSetValueExA

• 0x47a008 RegCreateKeyExA

• 0x47a00c RegSetValueA

• 0x47a010 RegQueryValueA

• 0x47a014 RegOpenKeyA

• 0x47a018 RegEnumKeyA

• 0x47a01c RegDeleteKeyA

• 0x47a020 RegOpenKeyExA

• 0x47a024 RegQueryValueExA

• 0x47a028 RegCloseKey

• 0x47a02c RegCreateKeyA

Library SHELL32.dll:

• 0x47a4d8 ExtractIconA

• 0x47a4dc DragFinish

• 0x47a4e0 DragQueryFileA

• 0x47a4e4 SHGetFileInfoA

Library SHLWAPI.dll:

• 0x47a4ec PathFindFileNameA

• 0x47a4f0 PathStripToRootA

• 0x47a4f4 PathIsUNCA

• 0x47a4f8 PathFindExtensionA

• 0x47a4fc PathRemoveExtensionA

• 0x47a500 PathRemoveFileSpecW

Library oledlg.dll:

• 0x47a8fc

Library ole32.dll:

• 0x47a86c StringFromGUID2

• 0x47a870 SetConvertStg

• 0x47a874 CLSIDFromProgID

• 0x47a878 CLSIDFromString

• 0x47a87c CreateStreamOnHGlobal

• 0x47a880 CoRegisterMessageFilter

• 0x47a884 OleFlushClipboard

• 0x47a888 OleIsCurrentClipboard

• 0x47a88c OleSetClipboard

• 0x47a890 CoRevokeClassObject

• 0x47a894 CoRegisterClassObject

• 0x47a898 OleInitialize

• 0x47a89c CoFreeUnusedLibraries

• 0x47a8a0 OleUninitialize

• 0x47a8a4 OleRun

• 0x47a8a8 CoInitializeEx

• 0x47a8ac CoUninitialize

• 0x47a8b0 CoCreateInstance

• 0x47a8b4 CoTaskMemFree

• 0x47a8b8 CoDisconnectObject

• 0x47a8bc CreateILockBytesOnHGlobal

• 0x47a8c0 StgCreateDocfileOnILockBytes

• 0x47a8c4 StgOpenStorageOnILockBytes

• 0x47a8c8 CoGetClassObject

• 0x47a8cc OleDuplicateData

• 0x47a8d0 CoTaskMemAlloc

• 0x47a8d4 ReleaseStgMedium

• 0x47a8d8 CreateBindCtx

• 0x47a8dc CoTreatAsClass

• 0x47a8e0 StringFromCLSID

• 0x47a8e4 ReadClassStg

• 0x47a8e8 ReadFmtUserTypeStg

• 0x47a8ec OleRegGetUserType

• 0x47a8f0 WriteClassStg

• 0x47a8f4 WriteFmtUserTypeStg

Library OLEAUT32.dll:

• 0x47a42c SysFreeString

• 0x47a430 SysStringByteLen

• 0x47a434 SysAllocStringByteLen

• 0x47a438 SysStringLen

• 0x47a43c VariantInit

• 0x47a440 VariantChangeType

• 0x47a444 VariantClear

• 0x47a448 SysAllocStringLen

• 0x47a44c OleCreateFontIndirect

• 0x47a450 VariantTimeToSystemTime

• 0x47a454 SystemTimeToVariantTime

• 0x47a458 SafeArrayDestroy

• 0x47a45c SysAllocString

• 0x47a460 RegisterTypeLib

• 0x47a464 LoadTypeLib

• 0x47a468 LoadRegTypeLib

• 0x47a46c SafeArrayUnaccessData

• 0x47a470 SafeArrayAccessData

• 0x47a474 SafeArrayGetUBound

• 0x47a478 SafeArrayGetLBound

• 0x47a47c SafeArrayGetElemsize

• 0x47a480 SafeArrayGetDim

• 0x47a484 SafeArrayCreate

• 0x47a488 SafeArrayRedim

• 0x47a48c VariantCopy

• 0x47a490 SafeArrayAllocData

• 0x47a494 SafeArrayAllocDescriptor

• 0x47a498 SafeArrayCopy

• 0x47a49c SafeArrayGetElement

• 0x47a4a0 SafeArrayPtrOfIndex

• 0x47a4a4 SafeArrayPutElement

• 0x47a4a8 SafeArrayLock

• 0x47a4ac SafeArrayUnlock

• 0x47a4b0 SafeArrayDestroyData

• 0x47a4b4 SafeArrayDestroyDescriptor

• 0x47a4b8 SysReAllocStringLen

• 0x47a4bc VarDateFromStr

• 0x47a4c0 VarBstrFromCy

• 0x47a4c4 VarBstrFromDec

• 0x47a4c8 VarDecFromStr

• 0x47a4cc VarCyFromStr

• 0x47a4d0 VarBstrFromDate

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
r3---sn-j5o7dn7e.gvt1.com	CNAME r3.sn-j5o7dn7e.gvt1.com A 113.108.239.196	113.108.239.196
redirector.gvt1.com	A 203.208.41.65	203.208.41.33
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
r1---sn-j5o7dn7e.gvt1.com	A 113.108.239.194 CNAME r1.sn-j5o7dn7e.gvt1.com	113.108.239.194
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	172.217.160.78
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
update.googleapis.com	A 203.208.40.98	203.208.43.98
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49195	113.108.239.194 r1---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49196	113.108.239.196 r3---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49192	203.208.40.98 update.googleapis.com	443
192.168.56.101	49194	203.208.41.65 redirector.gvt1.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	54991	114.114.114.114	53
192.168.56.101	56743	114.114.114.114	53
192.168.56.101	58070	114.114.114.114	53
192.168.56.101	58970	114.114.114.114	53
192.168.56.101	60123	114.114.114.114	53
192.168.56.101	60215	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	53380	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	54178	224.0.0.252	5355
192.168.56.101	54260	224.0.0.252	5355
192.168.56.101	55368	224.0.0.252	5355
192.168.56.101	56539	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619780417&mv=m&mvi=1&pl=23&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619780417&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=283dc48e846640dc&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619780417&mv=m	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=283dc48e846640dc&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619780417&mv=m HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com

URI

Data

http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com

http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619780417&mv=m&mvi=1&pl=23&shardbypass=yes

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619780417&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com

http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=283dc48e846640dc&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619780417&mv=m

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=283dc48e846640dc&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619780417&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.