12.8
0-day
该样本未表现出任何异常!
重新分析
更多

0d8eeefd7efb3d6c87134ff4c416f875f322553c76fddf2463beb87e11929dbd

d4e9b017314300d4f92007964c8d5f82.exe

分析耗时

129s

最近分析

文件大小

1.0MB
静态报毒 动态报毒
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
未检测 暂无反病毒引擎检测结果
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619939232.137125
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 228 个事件)
Time & API Arguments Status Return Repeated
1619910854.452212
IsDebuggerPresent
failed 0 0
1619910854.452212
IsDebuggerPresent
failed 0 0
1619910855.562212
IsDebuggerPresent
failed 0 0
1619910856.062212
IsDebuggerPresent
failed 0 0
1619910856.577212
IsDebuggerPresent
failed 0 0
1619910857.062212
IsDebuggerPresent
failed 0 0
1619910857.577212
IsDebuggerPresent
failed 0 0
1619910858.062212
IsDebuggerPresent
failed 0 0
1619910858.577212
IsDebuggerPresent
failed 0 0
1619910859.062212
IsDebuggerPresent
failed 0 0
1619910859.577212
IsDebuggerPresent
failed 0 0
1619910860.062212
IsDebuggerPresent
failed 0 0
1619910860.577212
IsDebuggerPresent
failed 0 0
1619910861.062212
IsDebuggerPresent
failed 0 0
1619910861.577212
IsDebuggerPresent
failed 0 0
1619910862.062212
IsDebuggerPresent
failed 0 0
1619910862.577212
IsDebuggerPresent
failed 0 0
1619910863.062212
IsDebuggerPresent
failed 0 0
1619910863.577212
IsDebuggerPresent
failed 0 0
1619910864.062212
IsDebuggerPresent
failed 0 0
1619910864.577212
IsDebuggerPresent
failed 0 0
1619910865.062212
IsDebuggerPresent
failed 0 0
1619910865.577212
IsDebuggerPresent
failed 0 0
1619910866.062212
IsDebuggerPresent
failed 0 0
1619910866.577212
IsDebuggerPresent
failed 0 0
1619910867.062212
IsDebuggerPresent
failed 0 0
1619910867.577212
IsDebuggerPresent
failed 0 0
1619910868.062212
IsDebuggerPresent
failed 0 0
1619910868.577212
IsDebuggerPresent
failed 0 0
1619910869.062212
IsDebuggerPresent
failed 0 0
1619910869.577212
IsDebuggerPresent
failed 0 0
1619910870.062212
IsDebuggerPresent
failed 0 0
1619910870.577212
IsDebuggerPresent
failed 0 0
1619910871.062212
IsDebuggerPresent
failed 0 0
1619910871.577212
IsDebuggerPresent
failed 0 0
1619910872.062212
IsDebuggerPresent
failed 0 0
1619910872.577212
IsDebuggerPresent
failed 0 0
1619910873.062212
IsDebuggerPresent
failed 0 0
1619910873.577212
IsDebuggerPresent
failed 0 0
1619910874.062212
IsDebuggerPresent
failed 0 0
1619910874.577212
IsDebuggerPresent
failed 0 0
1619910875.062212
IsDebuggerPresent
failed 0 0
1619910875.577212
IsDebuggerPresent
failed 0 0
1619910876.062212
IsDebuggerPresent
failed 0 0
1619910876.577212
IsDebuggerPresent
failed 0 0
1619910877.062212
IsDebuggerPresent
failed 0 0
1619910877.577212
IsDebuggerPresent
failed 0 0
1619910878.062212
IsDebuggerPresent
failed 0 0
1619910878.577212
IsDebuggerPresent
failed 0 0
1619910879.062212
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619939233.434125
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\qDGATGHJgh"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619910854.483212
GlobalMemoryStatusEx
success 1 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:1516102538&cup2hreq=c657a686f0af9deb3ad7f911ffc20b58a563d99ca3fa57509a4eb52a1f08883f
Performs some HTTP requests (4 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619910403&mv=u&mvi=1&pl=23&shardbypass=yes
request HEAD http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=4659812dd499a7b0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619909774&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:1516102538&cup2hreq=c657a686f0af9deb3ad7f911ffc20b58a563d99ca3fa57509a4eb52a1f08883f
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:1516102538&cup2hreq=c657a686f0af9deb3ad7f911ffc20b58a563d99ca3fa57509a4eb52a1f08883f
Allocates read-write-execute memory (usually to unpack itself) (50 out of 172 个事件)
Time & API Arguments Status Return Repeated
1619910853.608212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 1179648
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x008f0000
success 0 0
1619910853.608212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x009d0000
success 0 0
1619910854.062212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 589824
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x003d0000
success 0 0
1619910854.062212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00420000
success 0 0
1619910854.249212
NtProtectVirtualMemory
process_identifier: 1316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619910854.452212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 1835008
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00d30000
success 0 0
1619910854.452212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00eb0000
success 0 0
1619910854.452212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002aa000
success 0 0
1619910854.468212
NtProtectVirtualMemory
process_identifier: 1316
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619910854.468212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002a2000
success 0 0
1619910854.655212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b2000
success 0 0
1619910854.749212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e5000
success 0 0
1619910854.749212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003eb000
success 0 0
1619910854.749212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003e7000
success 0 0
1619910854.843212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b3000
success 0 0
1619910854.874212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002bc000
success 0 0
1619910854.952212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00720000
success 0 0
1619910854.952212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b4000
success 0 0
1619910854.968212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00721000
success 0 0
1619910854.983212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00722000
success 0 0
1619910854.983212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00723000
success 0 0
1619910855.030212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00724000
success 0 0
1619910855.046212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00725000
success 0 0
1619910855.202212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b5000
success 0 0
1619910855.327212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00726000
success 0 0
1619910855.577212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b6000
success 0 0
1619910855.577212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b7000
success 0 0
1619910855.812212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002b8000
success 0 0
1619910855.921212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c0000
success 0 0
1619910856.030212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003da000
success 0 0
1619910856.030212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d7000
success 0 0
1619910856.077212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00727000
success 0 0
1619910856.108212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c1000
success 0 0
1619910856.155212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c2000
success 0 0
1619910856.187212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x003d6000
success 0 0
1619910856.327212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c3000
success 0 0
1619910856.327212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00728000
success 0 0
1619910856.343212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef40000
success 0 0
1619910856.343212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef40000
success 0 0
1619910856.343212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef40000
success 0 0
1619910856.343212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef48000
success 0 0
1619910856.343212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef30000
success 0 0
1619910856.343212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef30000
success 0 0
1619910856.374212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00729000
success 0 0
1619910856.374212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x002bd000
success 0 0
1619910856.374212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c4000
success 0 0
1619910856.530212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0072a000
success 0 0
1619910856.530212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0072c000
success 0 0
1619910856.624212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x007c5000
success 0 0
1619910906.374212
NtAllocateVirtualMemory
process_identifier: 1316
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0072d000
success 0 0
Checks whether any human activity is being performed by constantly checking whether the foreground window changed
A process attempted to delay the analysis task. (2 个事件)
description d4e9b017314300d4f92007964c8d5f82.exe tried to sleep 164 seconds, actually delayed analysis time by 164 seconds
description sysins.exe tried to sleep 160 seconds, actually delayed analysis time by 160 seconds
Creates a suspicious process (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\qDGATGHJgh" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp259F.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qDGATGHJgh" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp259F.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619910908.733212
ShellExecuteExW
parameters: /Create /TN "Updates\qDGATGHJgh" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp259F.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)
entropy 7.498090629091048 section {'size_of_data': '0x0010a600', 'virtual_address': '0x00002000', 'entropy': 7.498090629091048, 'name': '.text', 'virtual_size': '0x0010a5a4'} description A section with a high entropy has been found
entropy 0.9976591760299626 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 个事件)
Time & API Arguments Status Return Repeated
1619910855.312212
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1619939239.621375
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (2 个事件)
Time & API Arguments Status Return Repeated
1619910912.296212
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2412
process_handle: 0x000003c0
failed 0 0
1619910912.296212
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2412
process_handle: 0x000003c0
success 0 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline schtasks.exe /Create /TN "Updates\qDGATGHJgh" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp259F.tmp"
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qDGATGHJgh" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp259F.tmp"
网络通信
Communicates with host for which no DNS query was performed (2 个事件)
host 172.217.24.14
host 203.208.40.66
Allocates execute permission to another process indicative of possible code injection (2 个事件)
Time & API Arguments Status Return Repeated
1619910911.999212
NtAllocateVirtualMemory
process_identifier: 2412
region_size: 1392640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003b8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619910912.374212
NtAllocateVirtualMemory
process_identifier: 196
region_size: 1392640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003bc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Manipulates memory of a non-child process indicative of process injection (2 个事件)
Process injection Process 1316 manipulating memory of non-child process 2412
Time & API Arguments Status Return Repeated
1619910911.999212
NtAllocateVirtualMemory
process_identifier: 2412
region_size: 1392640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003b8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (4 个事件)
Time & API Arguments Status Return Repeated
1619910912.374212
WriteProcessMemory
process_identifier: 196
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $3š $wûcwwûcwwûcw´ô<wvûcw~ƒçwvûcw´ô>wuûcwP=wvûcwP= wtûcwr÷lwvûcw~ƒàwsûcw~ƒðwhûcwwûbwûcwä’jvûcw䒜wvûcwä’avvûcwRichwûcwPELUžï^à ,Ú=Z@@@@…wðp, ˆ u@p.textƒ+, `.rdataÎI@J0@@.dataØPz@À.rsrcp,ð.€@@.relocˆ ®@B.bss0¾@@
process_handle: 0x000003bc
base_address: 0x00400000
success 1 0
1619910912.374212
WriteProcessMemory
process_identifier: 196
buffer: Í@ï@þ@ @@+@:@\@k@€@™TÍ<¨‡K¢`ˆˆÝ;UBÄôKŠ› A³€ÝJpMÛ(P‘AP‘AU‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃ,mAd
process_handle: 0x000003bc
base_address: 0x00419000
success 1 0
1619910912.374212
WriteProcessMemory
process_identifier: 196
buffer: 2ä˶îÄ-©÷(›Ã§õQ’§÷‡WÌVfËõ‰A*™ 9Ktö%6^i·0p“–– `f÷F\û>AõM ÞçÄ*Ðt¨‹»l©C±KÐÌ×갌5½%Ž:Á-#®½7~ú'+®‰øN€‚à^V Fì`fêD¡æ‘ið2û@¼L@©ë£ ÜÎxnfµœKžWK
process_handle: 0x000003bc
base_address: 0x00553000
success 1 0
1619910912.374212
WriteProcessMemory
process_identifier: 196
buffer: @
process_handle: 0x000003bc
base_address: 0x7efde008
success 1 0
Code injection by writing an executable or DLL to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619910912.374212
WriteProcessMemory
process_identifier: 196
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $3š $wûcwwûcwwûcw´ô<wvûcw~ƒçwvûcw´ô>wuûcwP=wvûcwP= wtûcwr÷lwvûcw~ƒàwsûcw~ƒðwhûcwwûbwûcwä’jvûcw䒜wvûcwä’avvûcwRichwûcwPELUžï^à ,Ú=Z@@@@…wðp, ˆ u@p.textƒ+, `.rdataÎI@J0@@.dataØPz@À.rsrcp,ð.€@@.relocˆ ®@B.bss0¾@@
process_handle: 0x000003bc
base_address: 0x00400000
success 1 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1316 called NtSetContextThread to modify thread in remote process 196
Time & API Arguments Status Return Repeated
1619910912.374212
NtSetContextThread
thread_handle: 0x000003c0
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4217405
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 196
success 0 0
Attempts to remove evidence of file being downloaded from the Internet (1 个事件)
file C:\ProgramData\sysins.exe:Zone.Identifier
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1316 resumed a thread in remote process 196
Time & API Arguments Status Return Repeated
1619910912.655212
NtResumeThread
thread_handle: 0x000003c0
suspend_count: 1
process_identifier: 196
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.160.110:443
Executed a process and injected code into it, probably while unpacking (32 个事件)
Time & API Arguments Status Return Repeated
1619910854.452212
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1316
success 0 0
1619910854.468212
NtResumeThread
thread_handle: 0x00000124
suspend_count: 1
process_identifier: 1316
success 0 0
1619910854.483212
NtResumeThread
thread_handle: 0x00000128
suspend_count: 1
process_identifier: 1316
success 0 0
1619910855.530212
NtResumeThread
thread_handle: 0x00000208
suspend_count: 1
process_identifier: 1316
success 0 0
1619910855.562212
NtResumeThread
thread_handle: 0x00000224
suspend_count: 1
process_identifier: 1316
success 0 0
1619910908.733212
CreateProcessInternalW
thread_identifier: 2772
thread_handle: 0x00000370
process_identifier: 2120
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qDGATGHJgh" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp259F.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x000003a8
inherit_handles: 0
success 1 0
1619910911.999212
CreateProcessInternalW
thread_identifier: 2840
thread_handle: 0x00000364
process_identifier: 2412
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d4e9b017314300d4f92007964c8d5f82.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d4e9b017314300d4f92007964c8d5f82.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x000003b8
inherit_handles: 0
success 1 0
1619910911.999212
NtGetContextThread
thread_handle: 0x00000364
success 0 0
1619910911.999212
NtAllocateVirtualMemory
process_identifier: 2412
region_size: 1392640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003b8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619910912.374212
CreateProcessInternalW
thread_identifier: 1208
thread_handle: 0x000003c0
process_identifier: 196
current_directory:
filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d4e9b017314300d4f92007964c8d5f82.exe
track: 1
command_line:
filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\d4e9b017314300d4f92007964c8d5f82.exe
stack_pivoted: 0
creation_flags: 134217732 (CREATE_NO_WINDOW|CREATE_SUSPENDED)
process_handle: 0x000003bc
inherit_handles: 0
success 1 0
1619910912.374212
NtGetContextThread
thread_handle: 0x000003c0
success 0 0
1619910912.374212
NtAllocateVirtualMemory
process_identifier: 196
region_size: 1392640
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x000003bc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619910912.374212
WriteProcessMemory
process_identifier: 196
buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $3š $wûcwwûcwwûcw´ô<wvûcw~ƒçwvûcw´ô>wuûcwP=wvûcwP= wtûcwr÷lwvûcw~ƒàwsûcw~ƒðwhûcwwûbwûcwä’jvûcw䒜wvûcwä’avvûcwRichwûcwPELUžï^à ,Ú=Z@@@@…wðp, ˆ u@p.textƒ+, `.rdataÎI@J0@@.dataØPz@À.rsrcp,ð.€@@.relocˆ ®@B.bss0¾@@
process_handle: 0x000003bc
base_address: 0x00400000
success 1 0
1619910912.374212
WriteProcessMemory
process_identifier: 196
buffer:
process_handle: 0x000003bc
base_address: 0x00401000
success 1 0
1619910912.374212
WriteProcessMemory
process_identifier: 196
buffer:
process_handle: 0x000003bc
base_address: 0x00414000
success 1 0
1619910912.374212
WriteProcessMemory
process_identifier: 196
buffer: Í@ï@þ@ @@+@:@\@k@€@™TÍ<¨‡K¢`ˆˆÝ;UBÄôKŠ› A³€ÝJpMÛ(P‘AP‘AU‹ì‹U‹E‹È…Òt ÆAƒêu÷]ÃU‹ìd¡0ƒì‹@ SVW‹x 駋G03ö‹_,‹?‰Eø‹B<‰}ô‹Dx‰Eð…À„…Áë3ɅÛt-‹}ø¾ÁÎ €<a‰Uø| ‹ÂƒÀàðëuøA;ËrߋUü‹}ô‹Eð‹L3ۋD ‰Mì…Ét<‹3ÿʃÀ‰Mø‹Ñ‰EèŠ ÁÏ ¾ÁøB„Éuñ‹Uü‰}ø‹Eø‹}ôÆ;Et ‹EèC;]ìrċW‰Uü…Ò…Kÿÿÿ3À_^[É‹uð‹D$X· ‹Dˆ‹ÂëÝU‹ìì¼‹ESVW‹XhLw&‰M ‰]¸èèþÿÿ‹ðÇEÄkern3ÀÇEÈel32ˆEЈEލEÄPÇEÌ.dllÇEàntdlÇEäl.dlfÇEèlÇEÔuserÇEØ32.dfÇEÜllfÇEø1fÇEü2ÿ֍EàPÿ֍EÔPÿÖhX¤SåèyþÿÿhyÌ?†‰EèlþÿÿhEƒV‰Eôè_þÿÿhDð5à‰EÀèRþÿÿhP‰E¤èEþÿÿhƖ‡R‰Eœè8þÿÿh_xTî‰Eðè+þÿÿhÚöÚO‰E˜èþÿÿ‹øhÆp‰}´èþÿÿh­ž_»‹ðèþÿÿh-W®[‰E¼èöýÿÿ‰E¬3ÀPh€jPPh€S‰E¨ÿ×j‰EìPÿ֋]‹ø‰}°jh0WjÿӋð…ötîjE¨PW‹}ìVWÿU¼WÿUð€>M‹]¸t jEøPPjÿUÀÆE hà.ÿU¤3À}ˆ«jDj«««…DÿÿÿPèTýÿÿƒÄ ÿu jhÿÿÿUœ‰E¼…ÀuOEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…À…¯PPjPPh@S‰E¸ÿU´‹øjƒÿÿtE¸ë^EüPPjÿUÀ鄃eìMìQPÿU˜}ìtoEˆP…DÿÿÿP3ÀPPPPPPPSÿUô…ÀuOPPjPPh@S‰EÿU´‹øjƒÿÿt*EPÿu°VWÿU¬WÿUðEˆP…DÿÿÿP3ÀPPPPPPPSÿUôë EüPPjÿUÀÆE ÿu¼ÿUð€} „åþÿÿ_^[ÉÃ,mAd
process_handle: 0x000003bc
base_address: 0x00419000
success 1 0
1619910912.374212
WriteProcessMemory
process_identifier: 196
buffer:
process_handle: 0x000003bc
base_address: 0x0054f000
success 1 0
1619910912.374212
WriteProcessMemory
process_identifier: 196
buffer:
process_handle: 0x000003bc
base_address: 0x00552000
success 1 0
1619910912.374212
WriteProcessMemory
process_identifier: 196
buffer: 2ä˶îÄ-©÷(›Ã§õQ’§÷‡WÌVfËõ‰A*™ 9Ktö%6^i·0p“–– `f÷F\û>AõM ÞçÄ*Ðt¨‹»l©C±KÐÌ×갌5½%Ž:Á-#®½7~ú'+®‰øN€‚à^V Fì`fêD¡æ‘ið2û@¼L@©ë£ ÜÎxnfµœKžWK
process_handle: 0x000003bc
base_address: 0x00553000
success 1 0
1619910912.374212
WriteProcessMemory
process_identifier: 196
buffer: @
process_handle: 0x000003bc
base_address: 0x7efde008
success 1 0
1619910912.374212
NtSetContextThread
thread_handle: 0x000003c0
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4217405
registers.ebp: 0
registers.edx: 0
registers.ebx: 2130567168
registers.esi: 0
registers.ecx: 0
process_identifier: 196
success 0 0
1619910912.655212
NtResumeThread
thread_handle: 0x000003c0
suspend_count: 1
process_identifier: 196
success 0 0
1619910912.655212
NtResumeThread
thread_handle: 0x000003d4
suspend_count: 1
process_identifier: 1316
success 0 0
1619910912.749212
NtGetContextThread
thread_handle: 0x000003d4
success 0 0
1619910912.749212
NtGetContextThread
thread_handle: 0x000003d4
success 0 0
1619910912.749212
NtResumeThread
thread_handle: 0x000003d4
suspend_count: 1
process_identifier: 1316
success 0 0
1619939238.574125
CreateProcessInternalW
thread_identifier: 2168
thread_handle: 0x000001e4
process_identifier: 1244
current_directory:
filepath: C:\ProgramData\sysins.exe
track: 1
command_line:
filepath_r: C:\ProgramData\sysins.exe
stack_pivoted: 0
creation_flags: 0 ()
process_handle: 0x000001ec
inherit_handles: 0
success 1 0
1619939239.152375
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1244
success 0 0
1619939239.168375
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 1244
success 0 0
1619939239.246375
NtResumeThread
thread_handle: 0x00000198
suspend_count: 1
process_identifier: 1244
success 0 0
1619939239.746375
NtResumeThread
thread_handle: 0x000001fc
suspend_count: 1
process_identifier: 1244
success 0 0
1619939239.793375
NtResumeThread
thread_handle: 0x00000210
suspend_count: 1
process_identifier: 1244
success 0 0
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-08-05 15:48:07

Imports

Library mscoree.dll:
0x402000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49195 113.108.239.130 r1---sn-j5o76n7e.gvt1.com 80
192.168.56.101 49193 203.208.40.34 update.googleapis.com 443
192.168.56.101 49194 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49196 58.63.233.69 r4---sn-j5o76n7l.gvt1.com 80
203.208.40.66 443 192.168.56.101 49186

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 53237 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 61680 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62318 224.0.0.252 5355
192.168.56.101 1900 239.255.255.250 1900

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=4659812dd499a7b0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619909774&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=4659812dd499a7b0&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619909774&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com
http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619910403&mv=u&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619910403&mv=u&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7e.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.