10.2
0-day
56 个模型检测该样本为恶意!
重新分析
更多

4fe72699119a25e2d936a92d07abce418b9a0b91d742de5e21b005ffa82bba2b

c4d40c5a943aa69ffc8b4b10877e895c.exe

分析耗时

134s

最近分析

文件大小

735.5KB
静态报毒 动态报毒 AGENTTESLA AI SCORE=85 AVSARHER BSK66A CNAR CONFIDENCE ELDORADO EMOTET FAREIT GDSDA GENERICKDZ HIGH CONFIDENCE HTXBDF INJECT3 KCLOUD KRYPT KRYPTIK MALICIOUS PE MALWARE@#2CPEXQE8AX3M9 MALWAREX PBBZB R188036 REMCOS RGAW SCORE STATIC AI SUSGEN TASKUN THIBGBO TM0@AYKKQGB TSCOPE UNSAFE YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FYV!C4D40C5A943A 20201228 6.0.6.653
Alibaba Trojan:MSIL/AgentTesla.bb771d7c 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:MalwareX-gen [Trj] 20201228 21.1.5827.0
Kingsoft Win32.Troj.Undef.(kcloud) 20201228 2017.9.26.565
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619943739.103876
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (31 个事件)
Time & API Arguments Status Return Repeated
1619943692.697501
IsDebuggerPresent
failed 0 0
1619943692.697501
IsDebuggerPresent
failed 0 0
1619943733.197501
IsDebuggerPresent
failed 0 0
1619943733.713501
IsDebuggerPresent
failed 0 0
1619943734.213501
IsDebuggerPresent
failed 0 0
1619943734.713501
IsDebuggerPresent
failed 0 0
1619943735.213501
IsDebuggerPresent
failed 0 0
1619943735.713501
IsDebuggerPresent
failed 0 0
1619943736.213501
IsDebuggerPresent
failed 0 0
1619943736.713501
IsDebuggerPresent
failed 0 0
1619943737.213501
IsDebuggerPresent
failed 0 0
1619943737.713501
IsDebuggerPresent
failed 0 0
1619943738.213501
IsDebuggerPresent
failed 0 0
1619943738.713501
IsDebuggerPresent
failed 0 0
1619943739.213501
IsDebuggerPresent
failed 0 0
1619943739.713501
IsDebuggerPresent
failed 0 0
1619943740.213501
IsDebuggerPresent
failed 0 0
1619943740.713501
IsDebuggerPresent
failed 0 0
1619943741.213501
IsDebuggerPresent
failed 0 0
1619943741.713501
IsDebuggerPresent
failed 0 0
1619943742.213501
IsDebuggerPresent
failed 0 0
1619943742.713501
IsDebuggerPresent
failed 0 0
1619943743.213501
IsDebuggerPresent
failed 0 0
1619943743.713501
IsDebuggerPresent
failed 0 0
1619943744.213501
IsDebuggerPresent
failed 0 0
1619943744.713501
IsDebuggerPresent
failed 0 0
1619943745.213501
IsDebuggerPresent
failed 0 0
1619943745.713501
IsDebuggerPresent
failed 0 0
1619943746.213501
IsDebuggerPresent
failed 0 0
1619943746.713501
IsDebuggerPresent
failed 0 0
1619943747.213501
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619943745.041876
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\rUdgmvSdV"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619943692.713501
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:2320887475&cup2hreq=a026106c3932e36417771c4f9074cf25fd86769ea23812142df2c337e1f5dcb3
Performs some HTTP requests (5 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619914573&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=44b29c00d0cc7c06&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619914812&mv=m
request GET http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=44b29c00d0cc7c06&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619914812&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:2320887475&cup2hreq=a026106c3932e36417771c4f9074cf25fd86769ea23812142df2c337e1f5dcb3
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:2320887475&cup2hreq=a026106c3932e36417771c4f9074cf25fd86769ea23812142df2c337e1f5dcb3
Allocates read-write-execute memory (usually to unpack itself) (50 out of 100 个事件)
Time & API Arguments Status Return Repeated
1619943692.135501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 393216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x002c0000
success 0 0
1619943692.135501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002e0000
success 0 0
1619943692.572501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 2097152
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x022a0000
success 0 0
1619943692.572501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02460000
success 0 0
1619943692.619501
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b91000
success 0 0
1619943692.697501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x024a0000
success 0 0
1619943692.697501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02690000
success 0 0
1619943692.697501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0032a000
success 0 0
1619943692.697501
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73b92000
success 0 0
1619943692.697501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00322000
success 0 0
1619943692.916501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00332000
success 0 0
1619943693.010501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00355000
success 0 0
1619943693.010501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0035b000
success 0 0
1619943693.010501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00357000
success 0 0
1619943693.166501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00333000
success 0 0
1619943693.197501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0033c000
success 0 0
1619943693.853501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00334000
success 0 0
1619943693.853501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00336000
success 0 0
1619943693.947501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00690000
success 0 0
1619943693.994501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0034a000
success 0 0
1619943693.994501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00347000
success 0 0
1619943694.182501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00337000
success 0 0
1619943694.182501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00338000
success 0 0
1619943694.197501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00339000
success 0 0
1619943694.291501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00346000
success 0 0
1619943694.353501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00691000
success 0 0
1619943695.010501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00692000
success 0 0
1619943695.135501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008c0000
success 0 0
1619943695.963501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008c1000
success 0 0
1619943696.150501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02130000
success 0 0
1619943696.150501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0033a000
success 0 0
1619943696.291501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008c2000
success 0 0
1619943729.416501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02461000
success 0 0
1619943729.682501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0032c000
success 0 0
1619943729.682501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00693000
success 0 0
1619943729.775501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008c3000
success 0 0
1619943729.869501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008c4000
success 0 0
1619943729.885501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008c5000
success 0 0
1619943729.900501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008c6000
success 0 0
1619943729.947501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00694000
success 0 0
1619943729.947501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0033d000
success 0 0
1619943729.947501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008c7000
success 0 0
1619943729.963501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00695000
success 0 0
1619943729.978501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00698000
success 0 0
1619943729.994501
NtProtectVirtualMemory
process_identifier: 2420
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 407552
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x05520400
failed 3221225550 0
1619943732.791501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00699000
success 0 0
1619943732.791501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0069a000
success 0 0
1619943732.791501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x008c8000
success 0 0
1619943732.807501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0069b000
success 0 0
1619943732.807501
NtAllocateVirtualMemory
process_identifier: 2420
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0069c000
success 0 0
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\rUdgmvSdV" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3965.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rUdgmvSdV" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3965.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619943738.838501
ShellExecuteExW
parameters: /Create /TN "Updates\rUdgmvSdV" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3965.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.968127612752899 section {'size_of_data': '0x00086000', 'virtual_address': '0x00002000', 'entropy': 7.968127612752899, 'name': '.text', 'virtual_size': '0x00085e64'} description A section with a high entropy has been found
entropy 0.7292517006802721 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619943729.994501
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (10 个事件)
Time & API Arguments Status Return Repeated
1619943746.619501
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2436
process_handle: 0x000107e4
failed 0 0
1619943746.619501
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2436
process_handle: 0x000107e4
success 0 0
1619943746.682501
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2152
process_handle: 0x0000f704
failed 0 0
1619943746.682501
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2152
process_handle: 0x0000f704
success 0 0
1619943746.728501
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2168
process_handle: 0x000111a4
failed 0 0
1619943746.728501
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2168
process_handle: 0x000111a4
success 0 0
1619943747.385501
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2240
process_handle: 0x000083cc
failed 0 0
1619943747.385501
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2240
process_handle: 0x000083cc
success 0 0
1619943747.432501
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 192
process_handle: 0x0000b354
failed 0 0
1619943747.432501
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 192
process_handle: 0x0000b354
success 0 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\rUdgmvSdV" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3965.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rUdgmvSdV" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3965.tmp"
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 203.208.41.98
Allocates execute permission to another process indicative of possible code injection (5 个事件)
Time & API Arguments Status Return Repeated
1619943746.463501
NtAllocateVirtualMemory
process_identifier: 2436
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000f4a4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619943746.635501
NtAllocateVirtualMemory
process_identifier: 2152
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000dffc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619943746.697501
NtAllocateVirtualMemory
process_identifier: 2168
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000103e8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619943746.728501
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000eef0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619943747.400501
NtAllocateVirtualMemory
process_identifier: 192
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000ed00
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Manipulates memory of a non-child process indicative of process injection (10 个事件)
Process injection Process 2420 manipulating memory of non-child process 2436
Process injection Process 2420 manipulating memory of non-child process 2152
Process injection Process 2420 manipulating memory of non-child process 2168
Process injection Process 2420 manipulating memory of non-child process 2240
Process injection Process 2420 manipulating memory of non-child process 192
Time & API Arguments Status Return Repeated
1619943746.463501
NtAllocateVirtualMemory
process_identifier: 2436
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000f4a4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619943746.635501
NtAllocateVirtualMemory
process_identifier: 2152
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000dffc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619943746.697501
NtAllocateVirtualMemory
process_identifier: 2168
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000103e8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619943746.728501
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000eef0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619943747.400501
NtAllocateVirtualMemory
process_identifier: 192
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000ed00
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Executed a process and injected code into it, probably while unpacking (21 个事件)
Time & API Arguments Status Return Repeated
1619943692.697501
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 2420
success 0 0
1619943692.697501
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 2420
success 0 0
1619943692.713501
NtResumeThread
thread_handle: 0x0000016c
suspend_count: 1
process_identifier: 2420
success 0 0
1619943733.197501
NtResumeThread
thread_handle: 0x0000cc9c
suspend_count: 1
process_identifier: 2420
success 0 0
1619943733.197501
NtResumeThread
thread_handle: 0x0000d9f4
suspend_count: 1
process_identifier: 2420
success 0 0
1619943738.838501
CreateProcessInternalW
thread_identifier: 1664
thread_handle: 0x0001141c
process_identifier: 1108
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rUdgmvSdV" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp3965.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x0000147c
inherit_handles: 0
success 1 0
1619943746.447501
CreateProcessInternalW
thread_identifier: 1856
thread_handle: 0x0000f67c
process_identifier: 2436
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c4d40c5a943aa69ffc8b4b10877e895c.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c4d40c5a943aa69ffc8b4b10877e895c.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000f4a4
inherit_handles: 0
success 1 0
1619943746.447501
NtGetContextThread
thread_handle: 0x0000f67c
success 0 0
1619943746.463501
NtAllocateVirtualMemory
process_identifier: 2436
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000f4a4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619943746.635501
CreateProcessInternalW
thread_identifier: 1236
thread_handle: 0x000107e4
process_identifier: 2152
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c4d40c5a943aa69ffc8b4b10877e895c.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c4d40c5a943aa69ffc8b4b10877e895c.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000dffc
inherit_handles: 0
success 1 0
1619943746.635501
NtGetContextThread
thread_handle: 0x000107e4
success 0 0
1619943746.635501
NtAllocateVirtualMemory
process_identifier: 2152
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000dffc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619943746.697501
CreateProcessInternalW
thread_identifier: 2484
thread_handle: 0x0000f704
process_identifier: 2168
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c4d40c5a943aa69ffc8b4b10877e895c.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c4d40c5a943aa69ffc8b4b10877e895c.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x000103e8
inherit_handles: 0
success 1 0
1619943746.697501
NtGetContextThread
thread_handle: 0x0000f704
success 0 0
1619943746.697501
NtAllocateVirtualMemory
process_identifier: 2168
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000103e8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619943746.728501
CreateProcessInternalW
thread_identifier: 2364
thread_handle: 0x000111a4
process_identifier: 2240
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c4d40c5a943aa69ffc8b4b10877e895c.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c4d40c5a943aa69ffc8b4b10877e895c.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000eef0
inherit_handles: 0
success 1 0
1619943746.728501
NtGetContextThread
thread_handle: 0x000111a4
success 0 0
1619943746.728501
NtAllocateVirtualMemory
process_identifier: 2240
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000eef0
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619943747.400501
CreateProcessInternalW
thread_identifier: 2760
thread_handle: 0x000083cc
process_identifier: 192
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c4d40c5a943aa69ffc8b4b10877e895c.exe
track: 1
command_line: "{path}"
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\c4d40c5a943aa69ffc8b4b10877e895c.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x0000ed00
inherit_handles: 0
success 1 0
1619943747.400501
NtGetContextThread
thread_handle: 0x000083cc
success 0 0
1619943747.400501
NtAllocateVirtualMemory
process_identifier: 192
region_size: 229376
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x0000ed00
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)
Elastic malicious (high confidence)
ClamAV Win.Malware.Cnar-7194164-0
FireEye Generic.mg.c4d40c5a943aa69f
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Fareit-FYV!C4D40C5A943A
Cylance Unsafe
K7AntiVirus Trojan ( 0056d6c41 )
Alibaba Trojan:MSIL/AgentTesla.bb771d7c
K7GW Trojan ( 0056d6c41 )
Cybereason malicious.a943aa
Arcabit Trojan.Generic.D11096
Cyren W32/MSIL_Kryptik.BLW.gen!Eldorado
Symantec Trojan.Gen.MBT
APEX Malicious
Paloalto generic.ml
Cynet Malicious (score: 100)
Kaspersky HEUR:Trojan.MSIL.Taskun.gen
BitDefender Trojan.GenericKDZ.69782
NANO-Antivirus Trojan.Win32.Taskun.htxbdf
MicroWorld-eScan Trojan.GenericKDZ.69782
Avast Win32:MalwareX-gen [Trj]
Ad-Aware Trojan.GenericKDZ.69782
Sophos Mal/Generic-S
Comodo Malware@#2cpexqe8ax3m9
F-Secure Trojan.TR/Kryptik.pbbzb
DrWeb Trojan.Inject3.53454
VIPRE Trojan.Win32.Generic!BT
TrendMicro TrojanSpy.MSIL.EMOTET.THIBGBO
McAfee-GW-Edition BehavesLike.Win32.Generic.bc
Emsisoft Trojan.Crypt (A)
SentinelOne Static AI - Malicious PE
Jiangmin Trojan.MSIL.rgaw
Avira TR/Kryptik.pbbzb
Antiy-AVL Trojan/MSIL.Taskun
Kingsoft Win32.Troj.Undef.(kcloud)
Gridinsoft Trojan.Win32.Kryptik.oa
Microsoft Trojan:MSIL/AgentTesla.PBG!MTB
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm HEUR:Trojan.MSIL.Taskun.gen
GData Trojan.GenericKDZ.69782
AhnLab-V3 Trojan/Win32.MDA.R188036
BitDefenderTheta Gen:NN.ZemsilF.34700.Tm0@aykKQgb
ALYac Trojan.GenericKDZ.69782
MAX malware (ai score=85)
VBA32 TScope.Trojan.MSIL
Malwarebytes Spyware.AgentTesla
ESET-NOD32 a variant of MSIL/Kryptik.XMX
TrendMicro-HouseCall Backdoor.MSIL.REMCOS.SM
Yandex Trojan.AvsArher.bSK66A
Ikarus Trojan.MSIL.Krypt
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (2 个事件)
dead_host 172.217.24.14:443
dead_host 172.217.160.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-28 12:06:08

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49198 113.108.239.194 r1---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49199 113.108.239.196 r3---sn-j5o7dn7e.gvt1.com 80
192.168.56.101 49195 203.208.40.98 update.googleapis.com 443
192.168.56.101 49197 203.208.41.65 redirector.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 51808 114.114.114.114 53
192.168.56.101 51963 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51378 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53380 224.0.0.252 5355
192.168.56.101 54991 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 58367 224.0.0.252 5355
192.168.56.101 60221 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=44b29c00d0cc7c06&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619914812&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=44b29c00d0cc7c06&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619914812&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://r1---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619914573&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.100&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619914573&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o7dn7e.gvt1.com
http://r3---sn-j5o7dn7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=44b29c00d0cc7c06&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619914812&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=3&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5ok7e&req_id=44b29c00d0cc7c06&cms_redirect=yes&ipbypass=yes&mip=59.50.85.19&mm=28&mn=sn-j5o7dn7e&ms=nvh&mt=1619914812&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-6727
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r3---sn-j5o7dn7e.gvt1.com
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.