18.8
0-day
59 个模型检测该样本为恶意!
重新分析
更多

51546731d7c742d1cf3f23dfc8ccc51ac884810b235143cf851943bb96a8da6a

4c792c9b5ecac56d8154aafcff4afb61.exe

分析耗时

132s

最近分析

文件大小

464.0KB
静态报毒 动态报毒 100% AI SCORE=100 AIDETECTVM ALI2000010 BSCOPE CONFIDENCE DQ0@AUU8BRHI DQZH FALYIZ FILECODER FILECRYPTER FXTI397GROL GENCIRC GENERICKD GENERICRXBG HIGH CONFIDENCE ICUKK JXCJHBZEFH8 KCLOUD MALWARE1 MALWARE@#GUXP3LS47OH4 MILICRY SAGE SAGECRYPT SCORE STATIC AI SUSPICIOUS PE TSGENERIC UNSAFE ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
Alibaba Ransom:Win32/generic.ali2000010 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:Trojan-gen 20201214 21.1.5827.0
Tencent Malware.Win32.Gencirc.10b2ea82 20201214 1.0.0.1
Kingsoft Win32.Troj.Undef.(kcloud) 20201214 2017.9.26.565
McAfee GenericRXBG-ZF!4C792C9B5ECA 20201214 6.0.6.653
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
静态指标
Queries for the computername (6 个事件)
Time & API Arguments Status Return Repeated
1620753711.648876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620753712.258876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620753718.570999
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620753719.367999
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620753725.759249
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1620753725.759249
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1620753718.976999
IsDebuggerPresent
failed 0 0
Command line console output was observed (3 个事件)
Time & API Arguments Status Return Repeated
1620753714.258876
WriteConsoleW
buffer: 成功: 成功创建计划任务 "N0mFUQoa"。
console_handle: 0x00000007
success 1 0
1620753725.274249
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1620753725.774249
WriteConsoleW
buffer: 错误: 意外故障: 没有注册类
console_handle: 0x00000007
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620753705.508876
GlobalMemoryStatusEx
success 1 0
The file contains an unknown PE resource name possibly indicative of a packer (2 个事件)
resource name BIN
resource name None
One or more processes crashed (4 个事件)
Time & API Arguments Status Return Repeated
1620753705.789876
__exception__
stacktrace: 
4c792c9b5ecac56d8154aafcff4afb61+0xc174 @ 0x40c174
4c792c9b5ecac56d8154aafcff4afb61+0x16040 @ 0x416040
4c792c9b5ecac56d8154aafcff4afb61+0x15d8d @ 0x415d8d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1632492
registers.edi: 0
registers.eax: 0
registers.ebp: 1632548
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 318520485
exception.instruction_r: 39 7e 04 75 04 83 4d e4 04 bb fe ff ff ff 89 5d
exception.symbol: JetUpdate+0x66 JetSetColumns-0x218 esent+0x49977
exception.instruction: cmp dword ptr [esi + 4], edi
exception.module: ESENT.dll
exception.exception_code: 0xc0000005
exception.offset: 301431
exception.address: 0x748e9977
success 0 0
1620753710.196249
__exception__
stacktrace: 
4c792c9b5ecac56d8154aafcff4afb61+0xc174 @ 0x40c174
4c792c9b5ecac56d8154aafcff4afb61+0x16040 @ 0x416040
4c792c9b5ecac56d8154aafcff4afb61+0x15d8d @ 0x415d8d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1632492
registers.edi: 0
registers.eax: 0
registers.ebp: 1632548
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 318520485
exception.instruction_r: 39 7e 04 75 04 83 4d e4 04 bb fe ff ff ff 89 5d
exception.symbol: JetUpdate+0x66 JetSetColumns-0x218 esent+0x49977
exception.instruction: cmp dword ptr [esi + 4], edi
exception.module: ESENT.dll
exception.exception_code: 0xc0000005
exception.offset: 301431
exception.address: 0x748e9977
success 0 0
1620753712.711999
__exception__
stacktrace: 
rj3fnwf3+0xc174 @ 0x40c174
rj3fnwf3+0x16040 @ 0x416040
rj3fnwf3+0x15d8d @ 0x415d8d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1632492
registers.edi: 0
registers.eax: 0
registers.ebp: 1632548
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 2146895237
exception.instruction_r: 39 7e 04 75 04 83 4d e4 04 bb fe ff ff ff 89 5d
exception.symbol: JetUpdate+0x66 JetSetColumns-0x218 esent+0x49977
exception.instruction: cmp dword ptr [esi + 4], edi
exception.module: ESENT.dll
exception.exception_code: 0xc0000005
exception.offset: 301431
exception.address: 0x748e9977
success 0 0
1620753719.852124
__exception__
stacktrace: 
rj3fnwf3+0xc174 @ 0x40c174
rj3fnwf3+0x16040 @ 0x416040
rj3fnwf3+0x15d8d @ 0x415d8d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1632492
registers.edi: 0
registers.eax: 0
registers.ebp: 1632548
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 3380191637
exception.instruction_r: 39 7e 04 75 04 83 4d e4 04 bb fe ff ff ff 89 5d
exception.symbol: JetUpdate+0x66 JetSetColumns-0x218 esent+0x49977
exception.instruction: cmp dword ptr [esi + 4], edi
exception.module: ESENT.dll
exception.exception_code: 0xc0000005
exception.offset: 301431
exception.address: 0x748e9977
success 0 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:2001183741&cup2hreq=0921975b60dd3ffbb65fd7b5b72f5c2714cdb510e2370a103b919a950ee65916
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620724820&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=4cb2a3e3f55ead32&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620724820&mv=m&mvi=3
request POST https://update.googleapis.com/service/update2?cup2key=10:2001183741&cup2hreq=0921975b60dd3ffbb65fd7b5b72f5c2714cdb510e2370a103b919a950ee65916
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:2001183741&cup2hreq=0921975b60dd3ffbb65fd7b5b72f5c2714cdb510e2370a103b919a950ee65916
Allocates read-write-execute memory (usually to unpack itself) (50 out of 253 个事件)
Time & API Arguments Status Return Repeated
1620753705.836876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 548864
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02340000
success 0 0
1620753705.836876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02360000
success 0 0
1620753708.164876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.226876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.242876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.320876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.367876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.398876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.414876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.445876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.476876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.554876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.586876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.633876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.664876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.711876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.726876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.726876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.773876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.804876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.851876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.898876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.945876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753708.976876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753709.039876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753709.070876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753709.070876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753709.070876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753709.070876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753709.086876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753709.086876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753709.117876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753709.179876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753709.211876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753709.258876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753709.289876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753709.336876
NtAllocateVirtualMemory
process_identifier: 2468
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02c70000
success 0 0
1620753709.367876
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1620753709.367876
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1620753709.367876
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00402000
success 0 0
1620753709.367876
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00403000
success 0 0
1620753709.367876
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00404000
success 0 0
1620753709.367876
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00405000
success 0 0
1620753709.367876
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00406000
success 0 0
1620753709.367876
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00407000
success 0 0
1620753709.367876
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00408000
success 0 0
1620753709.367876
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00409000
success 0 0
1620753709.367876
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0040a000
success 0 0
1620753709.367876
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0040b000
success 0 0
1620753709.367876
NtProtectVirtualMemory
process_identifier: 2468
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0040c000
success 0 0
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe
Creates a suspicious process (4 个事件)
cmdline bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline bcdedit.exe /set {default} recoveryenabled no
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4c792c9b5ecac56d8154aafcff4afb61.exe
A process created a hidden window (3 个事件)
Time & API Arguments Status Return Repeated
1620753711.648876
ShellExecuteExW
parameters: /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
filepath: schtasks
filepath_r: schtasks
show_type: 0
success 1 0
1620753715.320876
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\f252888.vbs
show_type: 0
success 1 0
1620753724.289999
ShellExecuteExW
parameters: delete shadows /all /quiet
filepath: vssadmin.exe
filepath_r: vssadmin.exe
show_type: 0
success 1 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1620753715.336876
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4c792c9b5ecac56d8154aafcff4afb61.exe
newfilepath:
newfilepath_r:
flags: 4
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4c792c9b5ecac56d8154aafcff4afb61.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620753705.976876
GetAdaptersAddresses
flags: 1158
family: 0
success 0 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1620753725.259249
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Enumerates services, possibly for anti-virtualization (1 个事件)
Time & API Arguments Status Return Repeated
1620753723.976999
EnumServicesStatusW
service_handle: 0x005900e0
service_type: 48
service_status: 3
success 1 0
Installs itself for autorun at Windows startup (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
Attempts to detect Cuckoo Sandbox through the presence of a file (1 个事件)
file C:\tmpsij43m\analyzer.py
Runs bcdedit commands specific to ransomware (2 个事件)
cmdline bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
cmdline bcdedit.exe /set {default} recoveryenabled no
Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 1130 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\4c792c9b5ecac56d8154aafcff4afb61.exe
file C:\Python27\Lib\site-packages\pip\_vendor\packaging\markers.py
file C:\Python27\Tools\Scripts\copytime.py
file C:\tmpsij43m\modules\packages\js.py
file C:\Python27\Lib\site-packages\pip\_vendor\webencodings\mklabels.py
file C:\Python27\Tools\Scripts\ndiff.py
file C:\Python27\Lib\sqlite3\test\hooks.py
file C:\Python27\Lib\test\test_iterlen.py
file C:\Python27\Lib\site-packages\setuptools\command\rotate.py
file C:\Python27\Lib\test\pythoninfo.py
file C:\Python27\Lib\site-packages\pip\_vendor\lockfile\__init__.py
file C:\Python27\Lib\test\test_multibytecodec.py
file C:\Python27\Lib\wsgiref\util.py
file C:\Python27\Lib\xml\dom\xmlbuilder.py
file C:\Python27\Lib\site-packages\pip\_vendor\pkg_resources\__init__.py
file C:\Python27\Lib\test\test_import.py
file C:\Python27\Lib\test\test_generators.py
file C:\Python27\Lib\site-packages\pip\_vendor\packaging\__init__.py
file C:\Python27\Lib\site-packages\setuptools\unicode_utils.py
file C:\Python27\Lib\test\test_textwrap.py
file C:\Python27\include\pythonrun.h
file C:\Python27\Lib\test\sample_doctest_no_doctests.py
file C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm
file C:\Python27\Lib\test\test_fileinput.py
file C:\Python27\tcl\tix8.4.3\bitmaps\openfold.xpm
file C:\Python27\Tools\Scripts\fixnotice.py
file C:\Python27\Lib\sysconfig.py
file C:\Python27\Tools\Scripts\lll.py
file C:\Python27\Lib\test\test_macpath.py
file C:\Python27\Lib\test\test_future_builtins.py
file C:\Python27\include\dtoa.h
file C:\Python27\Lib\__phello__.foo.py
file C:\Python27\Lib\site-packages\pip\_vendor\msgpack\__init__.py
file C:\Python27\Lib\test\badsyntax_future4.py
file C:\Python27\Lib\test\test_imghdr.py
file C:\Python27\Lib\test\test_zipfile64.py
file C:\Python27\Lib\test\test_cl.py
file C:\Python27\Lib\test\test_capi.py
file C:\Python27\tcl\tix8.4.3\bitmaps\act_fold.xpm
file C:\Python27\Lib\test\test_userstring.py
file C:\Python27\Lib\site-packages\pip\_vendor\requests\models.py
file C:\tmpsij43m\modules\packages\generic.py
file C:\Python27\Lib\test\test_hash.py
file C:\Python27\Lib\site-packages\pip\_vendor\requests\compat.py
file C:\Python27\Lib\test\test_defaultdict.py
file C:\Python27\Lib\test\test_file.py
file C:\Python27\Lib\wave.py
file C:\Python27\Lib\test\test_long_future.py
file C:\Python27\Tools\Scripts\cvsfiles.py
Removes the Shadow Copy to avoid recovery of the system (1 个事件)
cmdline vssadmin.exe delete shadows /all /quiet
Uses suspicious command line tools or Windows utilities (2 个事件)
cmdline vssadmin.exe delete shadows /all /quiet
cmdline "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
The process wscript.exe wrote an executable file to disk (1 个事件)
file C:\Windows\SysWOW64\wscript.exe
Detects VirtualBox through the presence of a device (2 个事件)
file \??\VBoxGuest
file \??\VBoxMiniRdrDN
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2017-04-14 17:32:27

Imports

Library KERNEL32.dll:
0x4380a8 GetConsoleOutputCP
0x4380ac WriteConsoleA
0x4380b0 SetStdHandle
0x4380b4 SetFilePointer
0x4380b8 GetStringTypeW
0x4380bc GetStringTypeA
0x4380c0 LCMapStringW
0x4380c4 LCMapStringA
0x4380c8 GetConsoleMode
0x4380cc GetConsoleCP
0x4380d0 FlushFileBuffers
0x4380d4 SetHandleCount
0x4380ec GetCPInfo
0x4380f0 GetOEMCP
0x4380f4 GetACP
0x4380f8 VirtualAlloc
0x4380fc VirtualFree
0x438100 HeapCreate
0x438104 HeapFree
0x438108 HeapReAlloc
0x43810c GlobalFree
0x438110 OutputDebugStringW
0x438114 GetFileType
0x438118 WriteConsoleW
0x43811c OutputDebugStringA
0x438120 WriteFile
0x438124 GetStdHandle
0x438128 DebugBreak
0x43812c TlsFree
0x438130 TlsSetValue
0x438134 TlsAlloc
0x438138 TlsGetValue
0x43813c FatalAppExitA
0x438140 GetStartupInfoA
0x438144 GetVersionExA
0x438148 GetCommandLineA
0x43814c RtlUnwind
0x438150 Sleep
0x438154 GetConsoleWindow
0x438158 lstrcpyA
0x43815c LoadLibraryW
0x438160 lstrcatA
0x438164 GetProcAddress
0x438168 FindNextFileA
0x43816c FindClose
0x438170 lstrcpynA
0x438174 lstrlenA
0x438178 GetModuleFileNameA
0x43817c LoadLibraryA
0x438180 GetCurrentThreadId
0x438184 GetCurrentProcessId
0x43818c DeleteFileA
0x438190 MultiByteToWideChar
0x438194 SetLastError
0x438198 SetLocaleInfoW
0x4381a0 GetThreadLocale
0x4381a4 IsValidLocale
0x4381a8 GetLocaleInfoW
0x4381ac WideCharToMultiByte
0x4381b0 GetLocaleInfoA
0x4381b4 GetTickCount
0x4381bc GlobalAlloc
0x4381c0 IsBadReadPtr
0x4381c4 HeapValidate
0x4381c8 GetModuleFileNameW
0x4381cc FindFirstFileA
0x4381d0 GetLastError
0x4381d4 GetModuleHandleA
0x4381dc Thread32First
0x4381e0 IsDebuggerPresent
0x4381e8 TerminateProcess
0x4381ec RaiseException
0x438208 GetProcessHeap
0x43820c ExitProcess
0x438210 HeapAlloc
0x438214 Thread32Next
0x438218 CloseHandle
0x43821c CreateFileA
0x438220 ReadFile
0x438224 HeapDestroy
0x438228 GetCurrentProcess
Library USER32.dll:
0x438270 GetWindowRect
0x438274 ShowWindow
0x438278 ScreenToClient
0x43827c EnableWindow
0x438280 SetRect
0x438284 GetWindowLongA
0x438288 PostQuitMessage
0x43828c SendMessageA
0x438290 GetDialogBaseUnits
0x438294 GetSysColor
0x438298 UpdateWindow
0x43829c GetScrollInfo
0x4382a0 EnableScrollBar
0x4382a4 CreateWindowExA
0x4382a8 GetDC
0x4382ac IsWindowEnabled
0x4382b4 GetDlgItem
0x4382b8 GetDlgItemTextA
0x4382bc EnumPropsA
0x4382c0 SetWindowPos
0x4382c4 DefWindowProcA
0x4382c8 GetSystemMetrics
0x4382cc GetMessagePos
0x4382d0 DestroyMenu
0x4382d4 AppendMenuA
0x4382d8 CreatePopupMenu
0x4382dc SetCursorPos
0x4382e0 GetCursorPos
0x4382e4 FindWindowA
0x4382e8 FindWindowExA
0x4382ec LoadAcceleratorsA
0x4382f0 EndDialog
0x4382f4 SetFocus
0x4382f8 GetSystemMenu
0x4382fc EnableMenuItem
0x438300 DrawMenuBar
0x438304 GetMenu
0x438308 ModifyMenuA
0x43830c LoadBitmapA
0x438310 ReleaseDC
0x438314 KillTimer
0x438318 TrackPopupMenuEx
0x43831c MessageBoxA
0x438320 BeginPaint
0x438324 GetClientRect
0x438328 GetFocus
0x43832c GetIconInfo
0x438334 SetWindowLongA
0x438338 SetDlgItemInt
0x43833c SendDlgItemMessageA
0x438340 GetDlgItemInt
0x438344 GetForegroundWindow
Library GDI32.dll:
0x438038 LineTo
0x43803c CreatePolygonRgn
0x438040 FillRgn
0x438044 CreatePen
0x438048 CreateDCW
0x43804c GetDeviceCaps
0x438050 CreateDIBSection
0x438054 DeleteDC
0x438058 SaveDC
0x43805c RestoreDC
0x438060 SetDCPenColor
0x438064 GetObjectA
0x438068 CreateRectRgn
0x43806c CombineRgn
0x438070 GetStockObject
0x438074 SetBkColor
0x438078 CreateBitmap
0x43807c Escape
0x438080 CreateSolidBrush
0x438084 GetEnhMetaFileA
0x43808c CreateCompatibleDC
0x438094 SelectObject
0x438098 BitBlt
0x43809c DeleteObject
0x4380a0 MoveToEx
Library WINSPOOL.DRV:
0x43834c OpenPrinterA
0x438350 ClosePrinter
0x438354 EnumJobsA
Library ADVAPI32.dll:
0x438004 OpenProcessToken
Library SHELL32.dll:
0x438244 ShellExecuteA
0x438248 SHGetFileInfoW
0x43824c SHGetFolderPathA
Library ole32.dll:
0x438390 RevokeDragDrop
Library OLEAUT32.dll:
Library WS2_32.dll:
0x43835c gethostbyaddr
0x438360 htons
0x438364 connect
0x438368 inet_addr
Library AVIFIL32.dll:
0x438014 AVIFileInit
Library iphlpapi.dll:
0x438384 GetNetworkParams
0x438388 GetAdaptersInfo
Library SHLWAPI.dll:
0x438254 PathAppendA
0x438258 PathRemoveFileSpecA
0x43825c StrCmpNIA
Library COMCTL32.dll:
0x43801c
0x438020 ImageList_DragEnter
0x438024 ImageList_BeginDrag
Library RPCRT4.dll:
0x438238 RpcMgmtInqStats
Library gdiplus.dll:
0x438378 GdiplusShutdown
0x43837c GdiplusStartup
Library Secur32.dll:
Library dbghelp.dll:
0x438370 MiniDumpWriteDump
Library ESENT.dll:
0x438030 JetUpdate

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 51006 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 51012 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49182 192.168.56.1 139
192.168.56.101 49183 192.168.56.1 139
192.168.56.101 49185 192.168.56.1 139
192.168.56.101 50798 203.208.40.66 update.googleapis.com 443
192.168.56.101 51000 203.208.41.65 redirector.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.1 137 192.168.56.101 137
192.168.56.1 138 192.168.56.101 138
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 56743 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 60911 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620724820&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620724820&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=4cb2a3e3f55ead32&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620724820&mv=m&mvi=3 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=4cb2a3e3f55ead32&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620724820&mv=m&mvi=3 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.