13.6
0-day
55 个模型检测该样本为恶意!
重新分析
更多

e38df9c0ed07f3226d5a6d5325317c0598011a125f21dc7890e92f661dfd675f

4c59d560fd90ee33564909ff0ba9b561.exe

分析耗时

622s

最近分析

文件大小

555.5KB
静态报毒 动态报毒 AGENSLA AGENTTESLA AI SCORE=86 ATTRIBUTE AUTO AVSARHER BEHAVIOR BTJEKX CLOUD CONFIDENCE DECYB ELDORADO GDSDA GENERICKD GENKRYPTIK HIGH CONFIDENCE HIGHCONFIDENCE IM0@AUNI1XI KRYPTIK LOKIBOT MALICIOUS PE PACKEDNET PWSX R338915 SCORE THFOABO TROJANPSW UNSAFE WACATAC ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee RDN/Generic.hbg 20200616 6.0.6.653
Avast Win32:PWSX-gen [Trj] 20200616 18.4.3895.0
Alibaba TrojanPSW:MSIL/Lokibot.53a1dcfc 20190527 0.3.0.5
Tencent Win32.Trojan.Inject.Auto 20200616 1.0.0.1
Baidu 20190318 1.0.0.2
Kingsoft 20200616 2013.8.14.323
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619513143.832
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (2 个事件)
Time & API Arguments Status Return Repeated
1619513092.629125
IsDebuggerPresent
failed 0 0
1619513151.301875
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619513148.957
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\SIwlWyRwz"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619513140.285125
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:1243229664&cup2hreq=194d315a85a62bd8b6e13bc9809aed646ff649b031a8637434d438456b4ac26c
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2
Performs some HTTP requests (6 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m
request GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:1243229664&cup2hreq=194d315a85a62bd8b6e13bc9809aed646ff649b031a8637434d438456b4ac26c
request POST https://update.googleapis.com/service/update2
Sends data using the HTTP POST Method (2 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:1243229664&cup2hreq=194d315a85a62bd8b6e13bc9809aed646ff649b031a8637434d438456b4ac26c
request POST https://update.googleapis.com/service/update2
Allocates read-write-execute memory (usually to unpack itself) (50 out of 83 个事件)
Time & API Arguments Status Return Repeated
1619513086.348125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 1310720
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00530000
success 0 0
1619513086.348125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00630000
success 0 0
1619513092.441125
NtProtectVirtualMemory
process_identifier: 300
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73a41000
success 0 0
1619513092.629125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0034a000
success 0 0
1619513092.629125
NtProtectVirtualMemory
process_identifier: 300
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73a42000
success 0 0
1619513092.629125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00342000
success 0 0
1619513094.191125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00352000
success 0 0
1619513094.582125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00353000
success 0 0
1619513094.660125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0038b000
success 0 0
1619513094.660125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00387000
success 0 0
1619513094.738125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0035c000
success 0 0
1619513133.879125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00354000
success 0 0
1619513133.957125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00355000
success 0 0
1619513134.254125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00356000
success 0 0
1619513134.379125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00690000
success 0 0
1619513134.707125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00357000
success 0 0
1619513134.832125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0037a000
success 0 0
1619513134.941125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00366000
success 0 0
1619513134.941125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0036a000
success 0 0
1619513134.941125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00367000
success 0 0
1619513135.520125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0034b000
success 0 0
1619513136.301125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00358000
success 0 0
1619513137.113125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00691000
success 0 0
1619513137.301125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x04c30000
success 0 0
1619513137.301125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e20000
success 0 0
1619513137.301125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e21000
success 0 0
1619513137.488125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e22000
success 0 0
1619513137.488125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e23000
success 0 0
1619513137.801125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00692000
success 0 0
1619513137.816125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e24000
success 0 0
1619513137.848125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e25000
success 0 0
1619513137.957125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00693000
success 0 0
1619513138.051125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0035a000
success 0 0
1619513138.504125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00970000
success 0 0
1619513139.129125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00359000
success 0 0
1619513139.223125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00372000
success 0 0
1619513139.426125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00385000
success 0 0
1619513139.645125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00631000
success 0 0
1619513139.770125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00694000
success 0 0
1619513139.879125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x021b0000
success 0 0
1619513140.098125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 16384
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e26000
success 0 0
1619513140.098125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 69632
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e2a000
success 0 0
1619513140.098125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e3b000
success 0 0
1619513140.098125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e3c000
success 0 0
1619513140.176125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e3d000
success 0 0
1619513140.176125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e3e000
success 0 0
1619513140.176125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e3f000
success 0 0
1619513140.223125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00695000
success 0 0
1619513140.223125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e42000
success 0 0
1619513140.223125
NtAllocateVirtualMemory
process_identifier: 300
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e43000
success 0 0
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\SIwlWyRwz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp82FC.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIwlWyRwz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp82FC.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619513143.504125
ShellExecuteExW
parameters: /Create /TN "Updates\SIwlWyRwz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp82FC.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.941967727127473 section {'size_of_data': '0x00063600', 'virtual_address': '0x00002000', 'entropy': 7.941967727127473, 'name': '.text', 'virtual_size': '0x00063408'} description A section with a high entropy has been found
entropy 0.7162162162162162 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619513150.848125
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619513153.879875
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (4 个事件)
Time & API Arguments Status Return Repeated
1619513150.910125
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2956
process_handle: 0x000003b0
failed 0 0
1619513150.910125
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2956
process_handle: 0x000003b0
success 0 0
1619513151.020125
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1988
process_handle: 0x000003b8
failed 0 0
1619513151.020125
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 1988
process_handle: 0x000003b8
success 0 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\SIwlWyRwz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp82FC.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIwlWyRwz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp82FC.tmp"
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (3 个事件)
Time & API Arguments Status Return Repeated
1619513150.801125
NtAllocateVirtualMemory
process_identifier: 2956
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003a8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619513150.941125
NtAllocateVirtualMemory
process_identifier: 1988
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003ac
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619513151.066125
NtAllocateVirtualMemory
process_identifier: 2568
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Deletes executed files from disk (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp82FC.tmp
Manipulates memory of a non-child process indicative of process injection (4 个事件)
Process injection Process 300 manipulating memory of non-child process 2956
Process injection Process 300 manipulating memory of non-child process 1988
Time & API Arguments Status Return Repeated
1619513150.801125
NtAllocateVirtualMemory
process_identifier: 2956
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003a8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619513150.941125
NtAllocateVirtualMemory
process_identifier: 1988
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003ac
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619513151.066125
WriteProcessMemory
process_identifier: 2568
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELè›Ñ^à ¬Ê à@  @…ÄÉWà  H.text$ª ¬ `.rsrcà®@@.reloc ²@B
process_handle: 0x000003b4
base_address: 0x00400000
success 1 0
1619513151.082125
WriteProcessMemory
process_identifier: 2568
buffer: €0€HXत4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoà000004b0,FileDescription 0FileVersion0.0.0.0h$InternalNametFMCGboSPRKXNlwxEpWcvOjaZpEyYLA.exe(LegalCopyright p$OriginalFilenametFMCGboSPRKXNlwxEpWcvOjaZpEyYLA.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000003b4
base_address: 0x0044e000
success 1 0
1619513151.082125
WriteProcessMemory
process_identifier: 2568
buffer: À :
process_handle: 0x000003b4
base_address: 0x00450000
success 1 0
1619513151.082125
WriteProcessMemory
process_identifier: 2568
buffer: @
process_handle: 0x000003b4
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619513151.066125
WriteProcessMemory
process_identifier: 2568
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELè›Ñ^à ¬Ê à@  @…ÄÉWà  H.text$ª ¬ `.rsrcà®@@.reloc ²@B
process_handle: 0x000003b4
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 300 called NtSetContextThread to modify thread in remote process 2568
Time & API Arguments Status Return Repeated
1619513151.082125
NtSetContextThread
thread_handle: 0x000003b8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4508190
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2568
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 300 resumed a thread in remote process 2568
Time & API Arguments Status Return Repeated
1619513151.129125
NtResumeThread
thread_handle: 0x000003b8
suspend_count: 1
process_identifier: 2568
success 0 0
Executed a process and injected code into it, probably while unpacking (26 个事件)
Time & API Arguments Status Return Repeated
1619513092.629125
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 300
success 0 0
1619513092.785125
NtResumeThread
thread_handle: 0x00000160
suspend_count: 1
process_identifier: 300
success 0 0
1619513141.801125
NtResumeThread
thread_handle: 0x00000284
suspend_count: 1
process_identifier: 300
success 0 0
1619513143.504125
CreateProcessInternalW
thread_identifier: 1928
thread_handle: 0x00000360
process_identifier: 3028
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SIwlWyRwz" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp82FC.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00000398
inherit_handles: 0
success 1 0
1619513150.754125
CreateProcessInternalW
thread_identifier: 1316
thread_handle: 0x00000354
process_identifier: 2956
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4c59d560fd90ee33564909ff0ba9b561.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4c59d560fd90ee33564909ff0ba9b561.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000003a8
inherit_handles: 0
success 1 0
1619513150.801125
NtGetContextThread
thread_handle: 0x00000354
success 0 0
1619513150.801125
NtAllocateVirtualMemory
process_identifier: 2956
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003a8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619513150.941125
CreateProcessInternalW
thread_identifier: 340
thread_handle: 0x000003b0
process_identifier: 1988
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4c59d560fd90ee33564909ff0ba9b561.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4c59d560fd90ee33564909ff0ba9b561.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000003ac
inherit_handles: 0
success 1 0
1619513150.941125
NtGetContextThread
thread_handle: 0x000003b0
success 0 0
1619513150.941125
NtAllocateVirtualMemory
process_identifier: 1988
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003ac
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619513151.066125
CreateProcessInternalW
thread_identifier: 2212
thread_handle: 0x000003b8
process_identifier: 2568
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4c59d560fd90ee33564909ff0ba9b561.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4c59d560fd90ee33564909ff0ba9b561.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000003b4
inherit_handles: 0
success 1 0
1619513151.066125
NtGetContextThread
thread_handle: 0x000003b8
success 0 0
1619513151.066125
NtAllocateVirtualMemory
process_identifier: 2568
region_size: 335872
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003b4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619513151.066125
WriteProcessMemory
process_identifier: 2568
buffer: MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELè›Ñ^à ¬Ê à@  @…ÄÉWà  H.text$ª ¬ `.rsrcà®@@.reloc ²@B
process_handle: 0x000003b4
base_address: 0x00400000
success 1 0
1619513151.066125
WriteProcessMemory
process_identifier: 2568
buffer:
process_handle: 0x000003b4
base_address: 0x00402000
success 1 0
1619513151.082125
WriteProcessMemory
process_identifier: 2568
buffer: €0€HXत4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoà000004b0,FileDescription 0FileVersion0.0.0.0h$InternalNametFMCGboSPRKXNlwxEpWcvOjaZpEyYLA.exe(LegalCopyright p$OriginalFilenametFMCGboSPRKXNlwxEpWcvOjaZpEyYLA.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0
process_handle: 0x000003b4
base_address: 0x0044e000
success 1 0
1619513151.082125
WriteProcessMemory
process_identifier: 2568
buffer: À :
process_handle: 0x000003b4
base_address: 0x00450000
success 1 0
1619513151.082125
WriteProcessMemory
process_identifier: 2568
buffer: @
process_handle: 0x000003b4
base_address: 0x7efde008
success 1 0
1619513151.082125
NtSetContextThread
thread_handle: 0x000003b8
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4508190
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 2568
success 0 0
1619513151.129125
NtResumeThread
thread_handle: 0x000003b8
suspend_count: 1
process_identifier: 2568
success 0 0
1619513151.145125
NtResumeThread
thread_handle: 0x000003cc
suspend_count: 1
process_identifier: 300
success 0 0
1619513151.285125
NtGetContextThread
thread_handle: 0x000003cc
success 0 0
1619513151.285125
NtGetContextThread
thread_handle: 0x000003cc
success 0 0
1619513151.285125
NtResumeThread
thread_handle: 0x000003cc
suspend_count: 1
process_identifier: 300
success 0 0
1619513151.301875
NtResumeThread
thread_handle: 0x000000d0
suspend_count: 1
process_identifier: 2568
success 0 0
1619513151.316875
NtResumeThread
thread_handle: 0x0000015c
suspend_count: 1
process_identifier: 2568
success 0 0
File has been identified by 55 AntiVirus engines on VirusTotal as malicious (50 out of 55 个事件)
DrWeb Trojan.PackedNET.326
MicroWorld-eScan Trojan.GenericKD.33946335
FireEye Generic.mg.4c59d560fd90ee33
CAT-QuickHeal Trojan.Multi
McAfee RDN/Generic.hbg
Cylance Unsafe
VIPRE Trojan.Win32.Generic!BT
AegisLab Trojan.Multi.Generic.4!c
Sangfor Malware
K7AntiVirus Trojan ( 00567ca81 )
BitDefender Trojan.GenericKD.33946335
K7GW Trojan ( 00567ca81 )
Cybereason malicious.55519a
TrendMicro Trojan.MSIL.WACATAC.THFOABO
BitDefenderTheta Gen:NN.ZemsilF.34128.Im0@auNI1Xi
F-Prot W32/MSIL_Agent.BJN.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:PWSX-gen [Trj]
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
Alibaba TrojanPSW:MSIL/Lokibot.53a1dcfc
ViRobot Trojan.Win32.Z.Inject.568832
Tencent Win32.Trojan.Inject.Auto
Ad-Aware Trojan.GenericKD.33946335
Emsisoft Trojan.GenericKD.33946335 (B)
F-Secure Trojan.TR/AD.AgentTesla.decyb
Invincea heuristic
McAfee-GW-Edition RDN/Generic.hbg
Fortinet Malicious_Behavior.SB
Sophos Mal/Generic-S
Ikarus Trojan.Inject
Cyren W32/MSIL_Agent.BJN.gen!Eldorado
Avira TR/AD.AgentTesla.decyb
MAX malware (ai score=86)
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Endgame malicious (high confidence)
Arcabit Trojan.Generic.D205FADF
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
Microsoft Trojan:MSIL/Lokibot.VN!MTB
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.AgentTesla.R338915
ALYac Trojan.GenericKD.33946335
Malwarebytes Trojan.Crypt.MSIL
Panda Trj/GdSda.A
ESET-NOD32 a variant of MSIL/Kryptik.WDL
TrendMicro-HouseCall Trojan.MSIL.WACATAC.THFOABO
Rising Trojan.GenKryptik!8.AA55 (CLOUD)
Yandex Trojan.AvsArher.bTJEKx
SentinelOne DFI - Malicious PE
eGambit Unsafe.AI_Score_99%
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.78:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-06-01 09:24:37

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49184 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49185 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49183 203.208.41.33 redirector.gvt1.com 80
192.168.56.101 49194 203.208.41.34 update.googleapis.com 443
192.168.56.101 49181 203.208.41.98 update.googleapis.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 57367 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 54991 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-7019
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=213145-398005
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=121755-213144
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=77204-121754
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=34797-55996
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=19395-34796
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=d3281c31450c7ca0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619483786&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=7020-19394
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.