10.6
0-day
57 个模型检测该样本为恶意!
重新分析
更多

b528d696a8d0056a9bf66b5ec8ef2d1e8fe5e7000ca024fce9e7d0e43dfde97c

4a0edcb5f8243089d92b593e6ea23792.exe

分析耗时

536s

最近分析

文件大小

290.5KB
静态报毒 动态报毒 100% AI SCORE=85 BTD2S8 CONFIDENCE CZYJ ELDORADO FAREIT GENCIRC GENERICKDZ GGYJNCIGAHK HIGH CONFIDENCE HJOMVO IGENT KRYPTIK MALICIOUS PE MALWARE@#2CMNVQRLJ3FT7 MALWAREX MXRESICN R06EC0DIK20 R342597 REMCOS S + MAL SCORE SIGGEN9 SM0@AK24W@K STATIC AI TSCOPE UDGYK UNSAFE ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FSX!4A0EDCB5F824 20201225 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Alibaba Backdoor:MSIL/Remcos.8a98a87e 20190527 0.3.0.5
Avast Win32:MalwareX-gen [Trj] 20201225 21.1.5827.0
Tencent Malware.Win32.Gencirc.10cdd612 20201225 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20201225 2017.9.26.565
静态指标
Queries for the computername (7 个事件)
Time & API Arguments Status Return Repeated
1619491469.334001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619491469.349001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619491469.349001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619491469.412001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619491484.568001
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619491484.568001
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619491516.395374
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (3 个事件)
Time & API Arguments Status Return Repeated
1619491437.098374
IsDebuggerPresent
failed 0 0
1619491437.098374
IsDebuggerPresent
failed 0 0
1619491470.459001
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619491523.723374
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\NKndzdZgYIllC"。
console_handle: 0x00000007
success 1 0
Uses Windows APIs to generate a cryptographic key (50 out of 64 个事件)
Time & API Arguments Status Return Repeated
1619491474.053001
CryptExportKey
crypto_handle: 0x00399098
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491479.021001
CryptExportKey
crypto_handle: 0x00398f58
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491479.021001
CryptExportKey
crypto_handle: 0x00398f58
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491479.021001
CryptExportKey
crypto_handle: 0x00398f58
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491479.256001
CryptExportKey
crypto_handle: 0x00398f58
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491479.256001
CryptExportKey
crypto_handle: 0x00398f58
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491479.256001
CryptExportKey
crypto_handle: 0x00398f58
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491479.271001
CryptExportKey
crypto_handle: 0x00398f58
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491479.334001
CryptExportKey
crypto_handle: 0x00398498
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491479.334001
CryptExportKey
crypto_handle: 0x00398498
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491479.349001
CryptExportKey
crypto_handle: 0x00398498
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491479.349001
CryptExportKey
crypto_handle: 0x00398498
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491479.349001
CryptExportKey
crypto_handle: 0x00398498
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491479.349001
CryptExportKey
crypto_handle: 0x00398498
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491480.865001
CryptExportKey
crypto_handle: 0x003989d8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491480.865001
CryptExportKey
crypto_handle: 0x003989d8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491480.865001
CryptExportKey
crypto_handle: 0x003989d8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491480.865001
CryptExportKey
crypto_handle: 0x003989d8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491480.865001
CryptExportKey
crypto_handle: 0x003989d8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491480.865001
CryptExportKey
crypto_handle: 0x003989d8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491480.881001
CryptExportKey
crypto_handle: 0x003989d8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.224001
CryptExportKey
crypto_handle: 0x00398d98
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.224001
CryptExportKey
crypto_handle: 0x00398d98
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.224001
CryptExportKey
crypto_handle: 0x00398d98
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.240001
CryptExportKey
crypto_handle: 0x003988d8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.240001
CryptExportKey
crypto_handle: 0x00398d98
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.240001
CryptExportKey
crypto_handle: 0x00398d98
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.240001
CryptExportKey
crypto_handle: 0x00398d98
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.240001
CryptExportKey
crypto_handle: 0x00398d98
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.256001
CryptExportKey
crypto_handle: 0x00398d98
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.271001
CryptExportKey
crypto_handle: 0x00398d98
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.271001
CryptExportKey
crypto_handle: 0x00398d98
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.365001
CryptExportKey
crypto_handle: 0x00398d98
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.365001
CryptExportKey
crypto_handle: 0x00398d98
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.459001
CryptExportKey
crypto_handle: 0x00398cd8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.459001
CryptExportKey
crypto_handle: 0x00398cd8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.459001
CryptExportKey
crypto_handle: 0x00398cd8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.474001
CryptExportKey
crypto_handle: 0x00398cd8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.474001
CryptExportKey
crypto_handle: 0x00398cd8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.474001
CryptExportKey
crypto_handle: 0x00398cd8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.474001
CryptExportKey
crypto_handle: 0x00398cd8
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.506001
CryptExportKey
crypto_handle: 0x00398358
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491484.506001
CryptExportKey
crypto_handle: 0x00398358
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491485.053001
CryptExportKey
crypto_handle: 0x00398358
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491485.053001
CryptExportKey
crypto_handle: 0x00398358
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491485.053001
CryptExportKey
crypto_handle: 0x00398358
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491485.053001
CryptExportKey
crypto_handle: 0x00398358
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491485.053001
CryptExportKey
crypto_handle: 0x00398358
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491485.084001
CryptExportKey
crypto_handle: 0x00398358
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1619491485.084001
CryptExportKey
crypto_handle: 0x00398358
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619491437.348374
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:3560244873&cup2hreq=0d8acdc96f3040891180a8325e580a279b8064830448f36b87c92a24c3e362c7
Performs some HTTP requests (5 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619461947&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7l&req_id=a4fea60cc7447bea&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619461947&mv=m
request GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7l&req_id=a4fea60cc7447bea&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619461947&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:3560244873&cup2hreq=0d8acdc96f3040891180a8325e580a279b8064830448f36b87c92a24c3e362c7
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:3560244873&cup2hreq=0d8acdc96f3040891180a8325e580a279b8064830448f36b87c92a24c3e362c7
Allocates read-write-execute memory (usually to unpack itself) (50 out of 197 个事件)
Time & API Arguments Status Return Repeated
1619491434.692374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 1179648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00780000
success 0 0
1619491434.692374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00860000
success 0 0
1619491436.005374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00da0000
success 0 0
1619491436.005374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f90000
success 0 0
1619491436.083374
NtProtectVirtualMemory
process_identifier: 1124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619491437.098374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 524288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00570000
success 0 0
1619491437.098374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b0000
success 0 0
1619491437.098374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0041a000
success 0 0
1619491437.114374
NtProtectVirtualMemory
process_identifier: 1124
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619491437.114374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00412000
success 0 0
1619491438.130374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00522000
success 0 0
1619491438.505374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00545000
success 0 0
1619491438.505374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0054b000
success 0 0
1619491438.505374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00547000
success 0 0
1619491438.927374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00523000
success 0 0
1619491439.114374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0052c000
success 0 0
1619491446.005374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00524000
success 0 0
1619491446.005374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00526000
success 0 0
1619491446.348374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00710000
success 0 0
1619491446.739374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0053a000
success 0 0
1619491446.739374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00537000
success 0 0
1619491447.067374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00527000
success 0 0
1619491447.067374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00528000
success 0 0
1619491447.177374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00711000
success 0 0
1619491447.380374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00536000
success 0 0
1619491447.848374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00712000
success 0 0
1619491448.114374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00529000
success 0 0
1619491448.364374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f91000
success 0 0
1619491448.739374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00713000
success 0 0
1619491448.739374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f70000
success 0 0
1619491448.739374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f71000
success 0 0
1619491448.833374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f72000
success 0 0
1619491448.848374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b1000
success 0 0
1619491448.895374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b2000
success 0 0
1619491448.989374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b3000
success 0 0
1619491448.989374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b4000
success 0 0
1619491448.989374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b5000
success 0 0
1619491448.989374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b6000
success 0 0
1619491449.177374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00714000
success 0 0
1619491449.192374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005b9000
success 0 0
1619491449.192374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005bd000
success 0 0
1619491449.192374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ce000
success 0 0
1619491449.239374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005cf000
success 0 0
1619491449.270374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005d0000
success 0 0
1619491449.270374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00715000
success 0 0
1619491449.567374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00716000
success 0 0
1619491449.723374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f73000
success 0 0
1619491449.723374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00717000
success 0 0
1619491449.802374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f92000
success 0 0
1619491449.802374
NtAllocateVirtualMemory
process_identifier: 1124
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00f96000
success 0 0
Creates a shortcut to an executable file (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
Creates a suspicious process (3 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NKndzdZgYIllC" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp61F7.tmp"
cmdline schtasks.exe /Create /TN "Updates\NKndzdZgYIllC" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp61F7.tmp"
cmdline "powershell" Get-MpPreference -verbose
A process created a hidden window (2 个事件)
Time & API Arguments Status Return Repeated
1619491464.973374
CreateProcessInternalW
thread_identifier: 2796
thread_handle: 0x00000244
process_identifier: 2016
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath:
track: 1
command_line: "powershell" Get-MpPreference -verbose
filepath_r:
stack_pivoted: 0
creation_flags: 134217728 (CREATE_NO_WINDOW)
process_handle: 0x00000250
inherit_handles: 1
success 1 0
1619491516.177374
ShellExecuteExW
parameters: /Create /TN "Updates\NKndzdZgYIllC" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp61F7.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.301273609174526 section {'size_of_data': '0x00037600', 'virtual_address': '0x00002000', 'entropy': 7.301273609174526, 'name': '.text', 'virtual_size': '0x00037454'} description A section with a high entropy has been found
entropy 0.7637931034482759 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619491473.396001
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NKndzdZgYIllC" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp61F7.tmp"
cmdline schtasks.exe /Create /TN "Updates\NKndzdZgYIllC" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp61F7.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp61F7.tmp
Generates some ICMP traffic
Disables Windows Security features (4 个事件)
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable
description attempts to modify windows defender policies registry HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection
File has been identified by 57 AntiVirus engines on VirusTotal as malicious (50 out of 57 个事件)
Elastic malicious (high confidence)
DrWeb Trojan.Siggen9.43191
Cynet Malicious (score: 85)
McAfee Fareit-FSX!4A0EDCB5F824
Cylance Unsafe
Zillya Trojan.Kryptik.Win32.1997344
Sangfor Malware
CrowdStrike win/malicious_confidence_100% (W)
Alibaba Backdoor:MSIL/Remcos.8a98a87e
K7GW Trojan ( 005686081 )
K7AntiVirus Trojan ( 005686081 )
BitDefenderTheta Gen:NN.ZemsilF.34700.sm0@aK24w@k
Cyren W32/MSIL_Kryptik.AZP.gen!Eldorado
Symantec Trojan.Gen.MBT
ESET-NOD32 a variant of MSIL/Kryptik.VQV
APEX Malicious
Paloalto generic.ml
Kaspersky HEUR:Backdoor.MSIL.Remcos.gen
BitDefender Trojan.GenericKDZ.66843
NANO-Antivirus Trojan.Win32.Kryptik.hjomvo
MicroWorld-eScan Trojan.GenericKDZ.66843
Avast Win32:MalwareX-gen [Trj]
Tencent Malware.Win32.Gencirc.10cdd612
Ad-Aware Trojan.GenericKDZ.66843
Sophos Mal/Generic-S + Mal/MSIL-UH
Comodo Malware@#2cmnvqrlj3ft7
F-Secure Trojan.TR/AD.Remcos.udgyk
VIPRE Trojan.Win32.Generic!BT
TrendMicro TROJ_GEN.R06EC0DIK20
McAfee-GW-Edition Fareit-FSX!4A0EDCB5F824
FireEye Generic.mg.4a0edcb5f8243089
Emsisoft Trojan.GenericKDZ.66843 (B)
Ikarus Trojan.Inject
GData Trojan.GenericKDZ.66843
Jiangmin Backdoor.MSIL.czyj
Avira TR/AD.Remcos.udgyk
Antiy-AVL Trojan[Backdoor]/MSIL.Remcos
Arcabit Trojan.Generic.D1051B
AegisLab Trojan.MSIL.Remcos.m!c
ZoneAlarm HEUR:Backdoor.MSIL.Remcos.gen
Microsoft Trojan:MSIL/Remcos.SD!MTB
AhnLab-V3 Trojan/Win32.Remcos.R342597
VBA32 TScope.Trojan.MSIL
ALYac Trojan.GenericKDZ.66843
MAX malware (ai score=85)
Malwarebytes Backdoor.Remcos
TrendMicro-HouseCall TROJ_GEN.R06EC0DIK20
Rising Backdoor.Remcos!8.B89E (TFE:C:gGyJncIgAhK)
Yandex Trojan.Igent.bTD2s8.29
SentinelOne Static AI - Malicious PE
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-04-29 16:08:14

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49186 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49187 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49185 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49183 203.208.41.98 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60215 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54991 224.0.0.252 5355
192.168.56.101 56539 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619461947&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619461947&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7l&req_id=a4fea60cc7447bea&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619461947&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7l&req_id=a4fea60cc7447bea&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619461947&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7l&req_id=a4fea60cc7447bea&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619461947&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7l&req_id=a4fea60cc7447bea&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619461947&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-6718
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7l&req_id=a4fea60cc7447bea&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619461947&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7l&req_id=a4fea60cc7447bea&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619461947&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=6719-19167
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7l&req_id=a4fea60cc7447bea&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619461947&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7l&req_id=a4fea60cc7447bea&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619461947&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=19168-34517
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.