SmartHawk

7.4

高危

4 个模型检测该样本为恶意！

重新分析

下载样本

9600ed28ab05fa986610118bed15570937ae89a96cdfa40d7d4c512c9b85b3ee

5625973dbb5684804b364c471c13cec3.exe

分析耗时

109s

最近分析

文件大小

4.3MB

静态报毒动态报毒 DLLKITSTER FILEREPMALWARE UNWANTEDSIG

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee		20200907	6.0.6.653
Baidu		20190318	1.0.0.2
Alibaba		20190527	0.3.0.5
Avast	Win32:UnwantedSig [PUP]	20200908	18.4.3895.0
Tencent		20200907	1.0.0.1
Kingsoft		20200907	2013.8.14.323
CrowdStrike		20190702	1.0

Queries for the computername (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620789345.541875 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

Checks if process is being debugged by a debugger (11 个事件)

Time & API	Arguments	Status	Return	Repeated
1620788895.123771 IsDebuggerPresent		failed	0	0
1620788895.123771 IsDebuggerPresent		failed	0	0
1620788906.123771 IsDebuggerPresent		failed	0	0
1620788921.263771 IsDebuggerPresent		failed	0	0
1620788923.107771 IsDebuggerPresent		failed	0	0
1620788927.685771 IsDebuggerPresent		failed	0	0
1620788927.716771 IsDebuggerPresent		failed	0	0
1620788928.810771 IsDebuggerPresent		failed	0	0
1620788941.373771 IsDebuggerPresent		failed	0	0
1620788941.373771 IsDebuggerPresent		failed	0	0
1620788950.763771 IsDebuggerPresent		failed	0	0

Command line console output was observed (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620789345.557875 WriteConsoleW	buffer: 错误: console_handle: 0x000000000000000b	success	1	0
1620789345.557875 WriteConsoleW	buffer: 系统找不到指定的文件。 console_handle: 0x000000000000000b	success	1	0

Uses Windows APIs to generate a cryptographic key (50 out of 101 个事件)

Time & API	Arguments	Status	Return
1620788897.451771 CryptExportKey	crypto_handle: 0x00000000003ddb40 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788898.435771 CryptExportKey	crypto_handle: 0x00000000003ddc90 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788899.310771 CryptExportKey	crypto_handle: 0x00000000003ddde0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788899.373771 CryptExportKey	crypto_handle: 0x00000000003ddde0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788899.435771 CryptExportKey	crypto_handle: 0x00000000003ddde0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788899.482771 CryptExportKey	crypto_handle: 0x00000000003ddde0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788899.544771 CryptExportKey	crypto_handle: 0x00000000003ddde0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788899.654771 CryptExportKey	crypto_handle: 0x00000000003dde50 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788899.716771 CryptExportKey	crypto_handle: 0x00000000003dde50 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788899.779771 CryptExportKey	crypto_handle: 0x00000000003dde50 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788901.404771 CryptExportKey	crypto_handle: 0x00000000003de0f0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788903.513771 CryptExportKey	crypto_handle: 0x000000001b9aa330 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788903.623771 CryptExportKey	crypto_handle: 0x000000001b9aa330 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788903.716771 CryptExportKey	crypto_handle: 0x000000001b9aa330 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788903.826771 CryptExportKey	crypto_handle: 0x000000001b9aa330 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788903.935771 CryptExportKey	crypto_handle: 0x000000001b9aa330 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788919.857771 CryptExportKey	crypto_handle: 0x000000001ba00410 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788919.873771 CryptExportKey	crypto_handle: 0x000000001ba00410 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788920.216771 CryptExportKey	crypto_handle: 0x000000001ba00480 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788920.216771 CryptExportKey	crypto_handle: 0x000000001ba00480 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788920.341771 CryptExportKey	crypto_handle: 0x000000001ba004f0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788920.341771 CryptExportKey	crypto_handle: 0x000000001ba004f0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788920.451771 CryptExportKey	crypto_handle: 0x000000001ba00560 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788920.466771 CryptExportKey	crypto_handle: 0x000000001ba00560 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788920.576771 CryptExportKey	crypto_handle: 0x000000001ba005d0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788920.576771 CryptExportKey	crypto_handle: 0x000000001ba005d0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788920.685771 CryptExportKey	crypto_handle: 0x000000001ba00640 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788920.685771 CryptExportKey	crypto_handle: 0x000000001ba00640 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788920.794771 CryptExportKey	crypto_handle: 0x000000001ba006b0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788920.810771 CryptExportKey	crypto_handle: 0x000000001ba006b0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788920.904771 CryptExportKey	crypto_handle: 0x000000001ba00720 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788920.919771 CryptExportKey	crypto_handle: 0x000000001ba00720 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788923.701771 CryptExportKey	crypto_handle: 0x000000001ba00720 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788931.435771 CryptExportKey	crypto_handle: 0x000000001ba00a30 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788931.638771 CryptExportKey	crypto_handle: 0x000000001ba00a30 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788931.732771 CryptExportKey	crypto_handle: 0x000000001ba00a30 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788931.810771 CryptExportKey	crypto_handle: 0x000000001ba00a30 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788931.904771 CryptExportKey	crypto_handle: 0x000000001ba00a30 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788932.013771 CryptExportKey	crypto_handle: 0x000000001ba00a30 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788932.029771 CryptExportKey	crypto_handle: 0x000000001ba00a30 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788932.029771 CryptExportKey	crypto_handle: 0x000000001ba00a30 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788932.451771 CryptExportKey	crypto_handle: 0x000000001ba00db0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788932.466771 CryptExportKey	crypto_handle: 0x000000001ba00db0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788932.560771 CryptExportKey	crypto_handle: 0x000000001ba00db0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788933.341771 CryptExportKey	crypto_handle: 0x000000001ba00e90 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788933.341771 CryptExportKey	crypto_handle: 0x000000001ba00e90 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788933.482771 CryptExportKey	crypto_handle: 0x000000001ba00e90 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788935.982771 CryptExportKey	crypto_handle: 0x000000001c80a3e0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788935.998771 CryptExportKey	crypto_handle: 0x000000001c80a3e0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1
1620788936.123771 CryptExportKey	crypto_handle: 0x000000001c80a3e0 crypto_export_handle: 0x0000000000000000 buffer: <INVALID POINTER> blob_type: 6 flags: 0	success	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable is signed

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620788895.185771 GlobalMemoryStatusEx		success	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:722304312&cup2hreq=d8fea36c936dcfdd92811f477bbbb9596e84a89398f05eb91dd6897e61b35fa7

Performs some HTTP requests (5 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760339&mv=m&mvi=1&pl=23&shardbypass=yes
request	HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3
request	GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3
request	POST https://update.googleapis.com/service/update2?cup2key=10:722304312&cup2hreq=d8fea36c936dcfdd92811f477bbbb9596e84a89398f05eb91dd6897e61b35fa7

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:722304312&cup2hreq=d8fea36c936dcfdd92811f477bbbb9596e84a89398f05eb91dd6897e61b35fa7

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1260 个事件)

Time & API	Arguments	Status
1620788894.388771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x0000000000500000	success
1620788894.388771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000000520000	success
1620788894.810771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 2359296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x0000000002800000	success
1620788894.810771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00000000029c0000	success
1620788894.888771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b61000	success
1620788894.888771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b61000	success
1620788894.904771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef21e0000	success
1620788895.107771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x0000000002630000	success
1620788895.123771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00000000026e0000	success
1620788895.138771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b62000	success
1620788895.154771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b62000	success
1620788895.154771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b62000	success
1620788895.154771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b62000	success
1620788895.154771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b62000	success
1620788895.154771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b63000	success
1620788895.154771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b63000	success
1620788895.154771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b63000	success
1620788895.154771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b63000	success
1620788895.154771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b63000	success
1620788895.154771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b63000	success
1620788895.154771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b63000	success
1620788895.154771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b61000	success
1620788895.169771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b62000	success
1620788895.169771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b62000	success
1620788895.169771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b62000	success
1620788895.169771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b62000	success
1620788895.169771 NtProtectVirtualMemory	process_identifier: 2436 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff base_address: 0x000007fef1b62000	success
1620788895.748771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff00032000	success
1620788895.779771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff00022000	success
1620788896.076771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) base_address: 0x000007fffff00000	success
1620788896.076771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007fffff00000	success
1620788896.076771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007fffff00000	success
1620788896.091771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007fffff10000	success
1620788896.091771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) base_address: 0x000007ffffef0000	success
1620788896.091771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ffffef0000	success
1620788896.091771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff0002a000	success
1620788896.123771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff00033000	success
1620788896.123771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff000dc000	success
1620788896.138771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff00106000	success
1620788896.138771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff000e0000	success
1620788896.466771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff00034000	success
1620788896.498771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff0002b000	success
1620788897.576771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff00035000	success
1620788897.576771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff001d0000	success
1620788897.654771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff001d6000	success
1620788898.544771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff001d7000	success
1620788898.544771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff001d9000	success
1620788898.576771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff001da000	success
1620788898.748771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff0003c000	success
1620788899.044771 NtAllocateVirtualMemory	process_identifier: 2436 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x000007ff001db000	success

Creates executable files on the filesystem (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\Installer.msi

Creates a suspicious process (2 个事件)

cmdline	Schtasks.exe /Delete /TN ErrorFixKITInstaller /F
cmdline	"C:\Windows\System32\schtasks.exe" /Delete /TN ErrorFixKITInstaller /F

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620788915.513771 ShellExecuteExW	parameters: /Delete /TN ErrorFixKITInstaller /F filepath: Schtasks.exe filepath_r: Schtasks.exe show_type: 0	success	1	0

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 个事件)

Avast	Win32:UnwantedSig [PUP]
DrWeb	Program.Unwanted.2591
Microsoft	PUA:Win32/Dllkitster
AVG	FileRepMalware [PUP]

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.7511180903728345

section

{'size_of_data': '0x00429000', 'virtual_address': '0x00002000', 'entropy': 7.7511180903728345, 'name': '.text', 'virtual_size': '0x00428e3c'}

description

A section with a high entropy has been found

entropy

0.9583802024746907

description

Overall entropy of this PE file is high

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	Schtasks.exe /Delete /TN ErrorFixKITInstaller /F
cmdline	"C:\Windows\System32\schtasks.exe" /Delete /TN ErrorFixKITInstaller /F

Communicates with host for which no DNS query was performed (2 个事件)

host	185.215.113.93
host	172.217.24.14

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)

dead_host	172.217.24.14:443
dead_host	172.217.160.110:443

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2018-06-20 23:32:14

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
r3---sn-j5o7dn7e.gvt1.com	CNAME r3.sn-j5o7dn7e.gvt1.com A 113.108.239.196	113.108.239.196
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
r1---sn-j5o7dn7e.gvt1.com	A 113.108.239.194 CNAME r1.sn-j5o7dn7e.gvt1.com	113.108.239.194
clients2.google.com	A 172.217.160.110 CNAME clients.l.google.com	216.58.200.78
redirector.gvt1.com	A 203.208.41.65	58.63.233.97
update.googleapis.com	A 203.208.41.98	113.108.239.162
teredo.ipv6.microsoft.com

TCP

Source	Source Port	Destination	Destination Port
185.215.113.93	80	192.168.56.101	49183
192.168.56.101	49185	113.108.239.194 r1---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49186	113.108.239.196 r3---sn-j5o7dn7e.gvt1.com	80
192.168.56.101	49184	203.208.41.65 redirector.gvt1.com	80
192.168.56.101	49183	203.208.41.98 update.googleapis.com	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	51963	114.114.114.114	53
192.168.56.101	53237	114.114.114.114	53
192.168.56.101	54178	114.114.114.114	53
192.168.56.101	55368	114.114.114.114	53
192.168.56.101	57236	114.114.114.114	53
192.168.56.101	60221	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	62912	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	53210	224.0.0.252	5355
192.168.56.101	53657	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355
192.168.56.101	57874	224.0.0.252	5355
192.168.56.101	58367	224.0.0.252	5355
192.168.56.101	60088	224.0.0.252	5355
192.168.56.101	60123	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3	GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3 HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=740868-1208979 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3	GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3 HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=52407-73001 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3	GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3 HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=31446-52406 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3	GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3 HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=116834-205691 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3	GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3 HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=18923-31445 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3	GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3 HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=0-6813 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760339&mv=m&mvi=1&pl=23&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760339&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3	GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3 HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=383418-740867 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3	GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=9cdc3b134e90f748&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1620760098&mv=m&mvi=3 HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT Range: bytes=1208980-1310831 User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r3---sn-j5o7dn7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.