18.8
0-day
59 个模型检测该样本为恶意!
重新分析
更多

19ee6debbef6334a0b5d9eb5f3b0a6a36229c9377b86aa74d3a0a2bd79ee6519

b9272245571192fadabe09dbe414ddb5.exe

分析耗时

131s

最近分析

文件大小

464.0KB
静态报毒 动态报毒 100% AI SCORE=100 AIDETECTVM ATTRIBUTE BSCOPE CLOUD CONFIDENCE DQ0@AWGZLLBI EOOX FALYIZ FILECODER FILECRYPTER GENCIRC GENERICKD GENERICRXBG GENOME HIGHCONFIDENCE ICUKK MALWARE2 MILICRY MXRESICN QFAAX@0 QVM10 S15245543 SAGE SAGECPMF SAGECRYPT SCORE SUSPICIOUS PE TSGENERIC UNSAFE ZEXAF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXBG-ZF!B92722455711 20200825 6.0.6.653
Alibaba Ransom:Win32/SageCrypt.f7dbde01 20190527 0.3.0.5
CrowdStrike win/malicious_confidence_100% (W) 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20200824 18.4.3895.0
Tencent Malware.Win32.Gencirc.10b2ea82 20200825 1.0.0.1
Kingsoft 20200825 2013.8.14.323
静态指标
Queries for the computername (6 个事件)
Time & API Arguments Status Return Repeated
1619861118.663943
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619861459.651
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619861462.698502
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619861462.995502
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1619861467.932375
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1619861467.932375
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (1 个事件)
Time & API Arguments Status Return Repeated
1619861462.807502
IsDebuggerPresent
failed 0 0
Command line console output was observed (3 个事件)
Time & API Arguments Status Return Repeated
1619861460.807
WriteConsoleW
buffer: 成功: 成功创建计划任务 "N0mFUQoa"。
console_handle: 0x00000007
success 1 0
1619861467.667375
WriteConsoleW
buffer: vssadmin 1.1 - 卷影复制服务管理命令行工具 (C) 版权所有 2001-2005 Microsoft Corp.
console_handle: 0x00000007
success 1 0
1619861467.948375
WriteConsoleW
buffer: 错误: 意外故障: 没有注册类
console_handle: 0x00000007
success 1 0
Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\MachineGuid
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619861115.381943
GlobalMemoryStatusEx
success 1 0
The file contains an unknown PE resource name possibly indicative of a packer (2 个事件)
resource name BIN
resource name None
One or more processes crashed (4 个事件)
Time & API Arguments Status Return Repeated
1619861115.585943
__exception__
stacktrace: 
b9272245571192fadabe09dbe414ddb5+0xc174 @ 0x40c174
b9272245571192fadabe09dbe414ddb5+0x16040 @ 0x416040
b9272245571192fadabe09dbe414ddb5+0x15d8d @ 0x415d8d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1632492
registers.edi: 0
registers.eax: 0
registers.ebp: 1632548
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 318520485
exception.instruction_r: 39 7e 04 75 04 83 4d e4 04 bb fe ff ff ff 89 5d
exception.symbol: JetUpdate+0x66 JetSetColumns-0x218 esent+0x49977
exception.instruction: cmp dword ptr [esi + 4], edi
exception.module: ESENT.dll
exception.exception_code: 0xc0000005
exception.offset: 301431
exception.address: 0x748e9977
success 0 0
1619861458.526125
__exception__
stacktrace: 
b9272245571192fadabe09dbe414ddb5+0xc174 @ 0x40c174
b9272245571192fadabe09dbe414ddb5+0x16040 @ 0x416040
b9272245571192fadabe09dbe414ddb5+0x15d8d @ 0x415d8d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1632492
registers.edi: 0
registers.eax: 0
registers.ebp: 1632548
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 318520485
exception.instruction_r: 39 7e 04 75 04 83 4d e4 04 bb fe ff ff ff 89 5d
exception.symbol: JetUpdate+0x66 JetSetColumns-0x218 esent+0x49977
exception.instruction: cmp dword ptr [esi + 4], edi
exception.module: ESENT.dll
exception.exception_code: 0xc0000005
exception.offset: 301431
exception.address: 0x748e9977
success 0 0
1619861459.776502
__exception__
stacktrace: 
rj3fnwf3+0xc174 @ 0x40c174
rj3fnwf3+0x16040 @ 0x416040
rj3fnwf3+0x15d8d @ 0x415d8d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1632492
registers.edi: 0
registers.eax: 0
registers.ebp: 1632548
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 2146895237
exception.instruction_r: 39 7e 04 75 04 83 4d e4 04 bb fe ff ff ff 89 5d
exception.symbol: JetUpdate+0x66 JetSetColumns-0x218 esent+0x49977
exception.instruction: cmp dword ptr [esi + 4], edi
exception.module: ESENT.dll
exception.exception_code: 0xc0000005
exception.offset: 301431
exception.address: 0x748e9977
success 0 0
1619861464.4175
__exception__
stacktrace: 
rj3fnwf3+0xc174 @ 0x40c174
rj3fnwf3+0x16040 @ 0x416040
rj3fnwf3+0x15d8d @ 0x415d8d
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 1632492
registers.edi: 0
registers.eax: 0
registers.ebp: 1632548
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 3380191637
exception.instruction_r: 39 7e 04 75 04 83 4d e4 04 bb fe ff ff ff 89 5d
exception.symbol: JetUpdate+0x66 JetSetColumns-0x218 esent+0x49977
exception.instruction: cmp dword ptr [esi + 4], edi
exception.module: ESENT.dll
exception.exception_code: 0xc0000005
exception.offset: 301431
exception.address: 0x748e9977
success 0 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:2915163501&cup2hreq=a53dace472f0783d2c29a3812e326e7a8e21dcf64f8292ce0d488094f0ba52cd
Performs some HTTP requests (5 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619832496&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=ee5a62eb610cd8fc&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619832496&mv=m
request GET http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=ee5a62eb610cd8fc&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619832496&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:2915163501&cup2hreq=a53dace472f0783d2c29a3812e326e7a8e21dcf64f8292ce0d488094f0ba52cd
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:2915163501&cup2hreq=a53dace472f0783d2c29a3812e326e7a8e21dcf64f8292ce0d488094f0ba52cd
Allocates read-write-execute memory (usually to unpack itself) (50 out of 253 个事件)
Time & API Arguments Status Return Repeated
1619861115.631943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 2187264
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02b00000
success 0 0
1619861115.631943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 163840
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02cb0000
success 0 0
1619861116.616943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861116.647943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861116.647943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861116.663943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861116.678943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861116.694943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861116.710943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861116.725943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861116.756943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861116.803943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861116.835943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861116.835943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861116.835943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861116.866943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861116.913943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861116.944943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861116.975943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861116.991943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.022943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.053943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.100943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.131943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.147943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.163943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.178943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.194943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.210943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.225943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.241943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.256943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.272943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.272943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.288943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.303943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.335943
NtAllocateVirtualMemory
process_identifier: 580
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x02e60000
success 0 0
1619861117.350943
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00400000
success 0 0
1619861117.350943
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00401000
success 0 0
1619861117.350943
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00402000
success 0 0
1619861117.350943
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00403000
success 0 0
1619861117.350943
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00404000
success 0 0
1619861117.350943
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00405000
success 0 0
1619861117.350943
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00406000
success 0 0
1619861117.350943
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00407000
success 0 0
1619861117.350943
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00408000
success 0 0
1619861117.350943
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x00409000
success 0 0
1619861117.366943
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0040a000
success 0 0
1619861117.366943
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0040b000
success 0 0
1619861117.366943
NtProtectVirtualMemory
process_identifier: 580
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x0040c000
success 0 0
Creates executable files on the filesystem (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
file C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe
Creates a suspicious process (4 个事件)
cmdline bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline bcdedit.exe /set {default} recoveryenabled no
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
Drops a binary and executes it (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b9272245571192fadabe09dbe414ddb5.exe
A process created a hidden window (3 个事件)
Time & API Arguments Status Return Repeated
1619861118.631943
ShellExecuteExW
parameters: /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
filepath: schtasks
filepath_r: schtasks
show_type: 0
success 1 0
1619861121.256943
ShellExecuteExW
parameters:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\f252888.vbs
filepath_r: C:\Users\ADMINI~1.OSK\AppData\Local\Temp\f252888.vbs
show_type: 0
success 1 0
1619861467.042502
ShellExecuteExW
parameters: delete shadows /all /quiet
filepath: vssadmin.exe
filepath_r: vssadmin.exe
show_type: 0
success 1 0
Moves the original executable to a new location (1 个事件)
Time & API Arguments Status Return Repeated
1619861121.256943
MoveFileWithProgressW
oldfilepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b9272245571192fadabe09dbe414ddb5.exe
newfilepath:
newfilepath_r:
flags: 4
oldfilepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\b9272245571192fadabe09dbe414ddb5.exe
success 1 0
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1619861115.756943
GetAdaptersAddresses
flags: 1158
family: 0
success 0 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619861467.604375
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Enumerates services, possibly for anti-virtualization (1 个事件)
Time & API Arguments Status Return Repeated
1619861466.886502
EnumServicesStatusW
service_handle: 0x00390b30
service_type: 48
service_status: 3
success 1 0
Installs itself for autorun at Windows startup (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
cmdline schtasks /CREATE /TN "N0mFUQoa" /TR "C:\Users\Administrator.Oskar-PC\AppData\Roaming\Rj3fNWF3.exe" /SC ONLOGON /RL HIGHEST /F
Attempts to detect Cuckoo Sandbox through the presence of a file (1 个事件)
file C:\tmpsij43m\analyzer.py
Runs bcdedit commands specific to ransomware (2 个事件)
cmdline bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
cmdline bcdedit.exe /set {default} recoveryenabled no
Deletes a large number of files from the system indicative of ransomware, wiper malware or system destruction (50 out of 1535 个事件)
file C:\Python27\Lib\test\test_multifile.py
file C:\Python27\Lib\site-packages\pip\_vendor\webencodings\mklabels.py
file C:\Python27\Lib\encodings\iso8859_13.py
file C:\Python27\Lib\test\test_userstring.py
file C:\Python27\Lib\site-packages\pip\_vendor\lockfile\__init__.py
file C:\Python27\Lib\test\test_multibytecodec.py
file C:\Python27\Lib\wsgiref\util.py
file C:\Python27\Lib\test\test_timeit.py
file C:\Python27\Lib\site-packages\pip\_vendor\pkg_resources\__init__.py
file C:\Python27\Lib\site-packages\pip\_vendor\packaging\__init__.py
file C:\Python27\tcl\tix8.4.3\bitmaps\textfile.xpm
file C:\Python27\Lib\test\test_fileinput.py
file C:\Python27\Lib\test\test_heapq.py
file C:\Python27\include\dtoa.h
file C:\Python27\Lib\encodings\mac_arabic.py
file C:\Python27\Lib\test\test_zipfile64.py
file C:\Python27\Lib\test\test_md5.py
file C:\Python27\Lib\encodings\iso2022_jp_2.py
file C:\Python27\Lib\site-packages\pip\_vendor\requests\models.py
file C:\Python27\Lib\json\tests\test_float.py
file C:\Python27\Lib\wave.py
file C:\Python27\Lib\encodings\iso8859_15.py
file C:\Python27\Lib\test\test_richcmp.py
file C:\Python27\Lib\encodings\cp1253.py
file C:\Python27\Lib\test\ssl_key.pem
file C:\Python27\Lib\smtplib.py
file C:\Python27\Lib\ctypes\macholib\dyld.py
file C:\Python27\Lib\encodings\mbcs.py
file C:\Python27\Lib\HTMLParser.py
file C:\Python27\Lib\test\test_importhooks.py
file C:\Python27\Lib\test\test_traceback.py
file C:\Python27\Lib\bsddb\dbshelve.py
file C:\Python27\include\intrcheck.h
file C:\tmpsij43m\modules\packages\pdf.py
file C:\Python27\Lib\site-packages\pip\_vendor\pep517\check.py
file C:\Python27\Lib\bsddb\dbutils.py
file C:\Python27\Lib\test\test_contextlib.py
file C:\Python27\include\symtable.h
file C:\Python27\Lib\test\test_operator.py
file C:\Python27\Lib\encodings\cp1257.py
file C:\Python27\Lib\test\crashers\infinite_loop_re.py
file C:\Python27\Lib\site-packages\setuptools\version.py
file C:\Python27\Lib\test\sample_doctest.py
file C:\Python27\Lib\site-packages\pip\_vendor\html5lib\filters\alphabeticalattributes.py
file C:\Python27\Lib\test\test_poll.py
file C:\Python27\include\warnings.h
file C:\Python27\Lib\xml\sax\expatreader.py
file C:\Python27\Lib\test\test_urllib2_localnet.py
file C:\Python27\Lib\test\make_ssl_certs.py
file C:\Python27\Lib\test\test_longexp.py
Removes the Shadow Copy to avoid recovery of the system (1 个事件)
cmdline vssadmin.exe delete shadows /all /quiet
Uses suspicious command line tools or Windows utilities (2 个事件)
cmdline vssadmin.exe delete shadows /all /quiet
cmdline "C:\Windows\System32\vssadmin.exe" delete shadows /all /quiet
The process wscript.exe wrote an executable file to disk (1 个事件)
file C:\Windows\SysWOW64\wscript.exe
Detects VirtualBox through the presence of a device (2 个事件)
file \??\VBoxGuest
file \??\VBoxMiniRdrDN
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2017-04-14 17:32:27

Imports

Library KERNEL32.dll:
0x4380a8 GetConsoleOutputCP
0x4380ac WriteConsoleA
0x4380b0 SetStdHandle
0x4380b4 SetFilePointer
0x4380b8 GetStringTypeW
0x4380bc GetStringTypeA
0x4380c0 LCMapStringW
0x4380c4 LCMapStringA
0x4380c8 GetConsoleMode
0x4380cc GetConsoleCP
0x4380d0 FlushFileBuffers
0x4380d4 SetHandleCount
0x4380ec GetCPInfo
0x4380f0 GetOEMCP
0x4380f4 GetACP
0x4380f8 VirtualAlloc
0x4380fc VirtualFree
0x438100 HeapCreate
0x438104 HeapFree
0x438108 HeapReAlloc
0x43810c GlobalFree
0x438110 OutputDebugStringW
0x438114 GetFileType
0x438118 WriteConsoleW
0x43811c OutputDebugStringA
0x438120 WriteFile
0x438124 GetStdHandle
0x438128 DebugBreak
0x43812c TlsFree
0x438130 TlsSetValue
0x438134 TlsAlloc
0x438138 TlsGetValue
0x43813c FatalAppExitA
0x438140 GetStartupInfoA
0x438144 GetVersionExA
0x438148 GetCommandLineA
0x43814c RtlUnwind
0x438150 Sleep
0x438154 GetConsoleWindow
0x438158 lstrcpyA
0x43815c LoadLibraryW
0x438160 lstrcatA
0x438164 GetProcAddress
0x438168 FindNextFileA
0x43816c FindClose
0x438170 lstrcpynA
0x438174 lstrlenA
0x438178 GetModuleFileNameA
0x43817c LoadLibraryA
0x438180 GetCurrentThreadId
0x438184 GetCurrentProcessId
0x43818c DeleteFileA
0x438190 MultiByteToWideChar
0x438194 SetLastError
0x438198 SetLocaleInfoW
0x4381a0 GetThreadLocale
0x4381a4 IsValidLocale
0x4381a8 GetLocaleInfoW
0x4381ac WideCharToMultiByte
0x4381b0 GetLocaleInfoA
0x4381b4 GetTickCount
0x4381bc GlobalAlloc
0x4381c0 IsBadReadPtr
0x4381c4 HeapValidate
0x4381c8 GetModuleFileNameW
0x4381cc FindFirstFileA
0x4381d0 GetLastError
0x4381d4 GetModuleHandleA
0x4381dc Thread32First
0x4381e0 IsDebuggerPresent
0x4381e8 TerminateProcess
0x4381ec RaiseException
0x438208 GetProcessHeap
0x43820c ExitProcess
0x438210 HeapAlloc
0x438214 Thread32Next
0x438218 CloseHandle
0x43821c CreateFileA
0x438220 ReadFile
0x438224 HeapDestroy
0x438228 GetCurrentProcess
Library USER32.dll:
0x438270 GetWindowRect
0x438274 ShowWindow
0x438278 ScreenToClient
0x43827c EnableWindow
0x438280 SetRect
0x438284 GetWindowLongA
0x438288 PostQuitMessage
0x43828c SendMessageA
0x438290 GetDialogBaseUnits
0x438294 GetSysColor
0x438298 UpdateWindow
0x43829c GetScrollInfo
0x4382a0 EnableScrollBar
0x4382a4 CreateWindowExA
0x4382a8 GetDC
0x4382ac IsWindowEnabled
0x4382b4 GetDlgItem
0x4382b8 GetDlgItemTextA
0x4382bc EnumPropsA
0x4382c0 SetWindowPos
0x4382c4 DefWindowProcA
0x4382c8 GetSystemMetrics
0x4382cc GetMessagePos
0x4382d0 DestroyMenu
0x4382d4 AppendMenuA
0x4382d8 CreatePopupMenu
0x4382dc SetCursorPos
0x4382e0 GetCursorPos
0x4382e4 FindWindowA
0x4382e8 FindWindowExA
0x4382ec LoadAcceleratorsA
0x4382f0 EndDialog
0x4382f4 SetFocus
0x4382f8 GetSystemMenu
0x4382fc EnableMenuItem
0x438300 DrawMenuBar
0x438304 GetMenu
0x438308 ModifyMenuA
0x43830c LoadBitmapA
0x438310 ReleaseDC
0x438314 KillTimer
0x438318 TrackPopupMenuEx
0x43831c MessageBoxA
0x438320 BeginPaint
0x438324 GetClientRect
0x438328 GetFocus
0x43832c GetIconInfo
0x438334 SetWindowLongA
0x438338 SetDlgItemInt
0x43833c SendDlgItemMessageA
0x438340 GetDlgItemInt
0x438344 GetForegroundWindow
Library GDI32.dll:
0x438038 LineTo
0x43803c CreatePolygonRgn
0x438040 FillRgn
0x438044 CreatePen
0x438048 CreateDCW
0x43804c GetDeviceCaps
0x438050 CreateDIBSection
0x438054 DeleteDC
0x438058 SaveDC
0x43805c RestoreDC
0x438060 SetDCPenColor
0x438064 GetObjectA
0x438068 CreateRectRgn
0x43806c CombineRgn
0x438070 GetStockObject
0x438074 SetBkColor
0x438078 CreateBitmap
0x43807c Escape
0x438080 CreateSolidBrush
0x438084 GetEnhMetaFileA
0x43808c CreateCompatibleDC
0x438094 SelectObject
0x438098 BitBlt
0x43809c DeleteObject
0x4380a0 MoveToEx
Library WINSPOOL.DRV:
0x43834c OpenPrinterA
0x438350 ClosePrinter
0x438354 EnumJobsA
Library ADVAPI32.dll:
0x438004 OpenProcessToken
Library SHELL32.dll:
0x438244 ShellExecuteA
0x438248 SHGetFileInfoW
0x43824c SHGetFolderPathA
Library ole32.dll:
0x438390 RevokeDragDrop
Library OLEAUT32.dll:
Library WS2_32.dll:
0x43835c gethostbyaddr
0x438360 htons
0x438364 connect
0x438368 inet_addr
Library AVIFIL32.dll:
0x438014 AVIFileInit
Library iphlpapi.dll:
0x438384 GetNetworkParams
0x438388 GetAdaptersInfo
Library SHLWAPI.dll:
0x438254 PathAppendA
0x438258 PathRemoveFileSpecA
0x43825c StrCmpNIA
Library COMCTL32.dll:
0x43801c
0x438020 ImageList_DragEnter
0x438024 ImageList_BeginDrag
Library RPCRT4.dll:
0x438238 RpcMgmtInqStats
Library gdiplus.dll:
0x438378 GdiplusShutdown
0x43837c GdiplusStartup
Library Secur32.dll:
Library dbghelp.dll:
0x438370 MiniDumpWriteDump
Library ESENT.dll:
0x438030 JetUpdate

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 50846 113.108.239.130 r1---sn-j5o76n7e.gvt1.com 80
192.168.56.101 49185 192.168.56.1 139
192.168.56.101 49186 192.168.56.1 139
192.168.56.101 49188 192.168.56.1 139
192.168.56.101 50676 203.208.40.34 update.googleapis.com 443
192.168.56.101 50837 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 50852 58.63.233.69 r4---sn-j5o76n7l.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.1 137 192.168.56.101 137
192.168.56.1 138 192.168.56.101 138
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=ee5a62eb610cd8fc&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619832496&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=ee5a62eb610cd8fc&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619832496&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-6730
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com
http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619832496&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619832496&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7e.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=ee5a62eb610cd8fc&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619832496&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=ee5a62eb610cd8fc&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619832496&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.