SmartHawk

13.8

0-day

52 个模型检测该样本为恶意！

重新分析

下载样本

3fcdb2659f602866f3ebb89f31da878e3190e06867ba85f6b80d7c4c7c2b648c

dc29815abecb45095a5ffe4a92b8c4a3.exe

分析耗时

97s

最近分析

文件大小

514.5KB

静态报毒动态报毒 AI SCORE=86 ANDROM ATTRIBUTE AVSARHER BTJEKX CONFIDENCE DOWNLOADER33 DROPPERX ELDORADO FAREIT GDSDA GENERICKD GM0@AEKM4UI HIGH CONFIDENCE HIGHCONFIDENCE KRYPTIK MASSLOGGER R344975 SCORE THGAFBO UNSAFE VVJFL WRQF ZEMSILCO 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	Fareit-FXH!DC29815ABECB	20200802	6.0.6.653
Alibaba	Backdoor:MSIL/Masslogger.9594afc3	20190527	0.3.0.5
Baidu		20190318	1.0.0.2
Avast	Win32:DropperX-gen [Drp]	20200802	18.4.3895.0
Tencent	Msil.Backdoor.Androm.Wrqf	20200802	1.0.0.1
Kingsoft		20200802	2013.8.14.323
CrowdStrike	win/malicious_confidence_90% (W)	20190702	1.0

Queries for the computername (5 个事件)

Time & API	Arguments	Status	Return
1619965147.668626 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619965163.871374 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619965166.871374 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619965169.309374 GetComputerNameW	computer_name: OSKAR-PC	success	1
1619965169.574374 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (4 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948415.404531 IsDebuggerPresent		failed	0	0
1619948415.404531 IsDebuggerPresent		failed	0	0
1619965150.637374 IsDebuggerPresent		failed	0	0
1619965150.637374 IsDebuggerPresent		failed	0	0

Command line console output was observed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619965148.434626 WriteConsoleW	buffer: 成功: 成功创建计划任务 "Updates\WpdwJAQO"。 console_handle: 0x00000007	success	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948415.467531 GlobalMemoryStatusEx		success	1	0

One or more processes crashed (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619965168.590374 __exception__	stacktrace: 0x450f5b5 0x450e8c6 DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01 CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21 GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82 GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90 GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4 GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199 GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a _CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 3206844 registers.edi: 3206872 registers.eax: 0 registers.ebp: 3206888 registers.edx: 8 registers.ebx: 0 registers.esi: 38586604 registers.ecx: 0 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 65 2b 8d 3d e9 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x44a31d2	success	0	0

Time & API

Arguments

Status

Return

Repeated

1619965168.590374
__exception__

stacktrace:

0x450f5b5
0x450e8c6
DllUnregisterServerInternal-0x3e21 clr+0x21db @ 0x73e721db
CoUninitializeEE+0x6862 DllRegisterServerInternal-0xc91e clr+0x24a2a @ 0x73e94a2a
CoUninitializeEE+0x6a04 DllRegisterServerInternal-0xc77c clr+0x24bcc @ 0x73e94bcc
CoUninitializeEE+0x6a39 DllRegisterServerInternal-0xc747 clr+0x24c01 @ 0x73e94c01
CoUninitializeEE+0x6a59 DllRegisterServerInternal-0xc727 clr+0x24c21 @ 0x73e94c21
GetCLRFunction+0xc08 GetMetaDataPublicInterfaceFromInternal-0x8a65 clr+0xece82 @ 0x73f5ce82
GetCLRFunction+0xd16 GetMetaDataPublicInterfaceFromInternal-0x8957 clr+0xecf90 @ 0x73f5cf90
GetCLRFunction+0xb2a GetMetaDataPublicInterfaceFromInternal-0x8b43 clr+0xecda4 @ 0x73f5cda4
GetCLRFunction+0xf1f GetMetaDataPublicInterfaceFromInternal-0x874e clr+0xed199 @ 0x73f5d199
GetCLRFunction+0xe20 GetMetaDataPublicInterfaceFromInternal-0x884d clr+0xed09a @ 0x73f5d09a
_CorExeMain+0x1c SetRuntimeInfo-0x181d clr+0x16af00 @ 0x73fdaf00
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x752655ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x754e7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x754e4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 3206844
registers.edi: 3206872
registers.eax: 0
registers.ebp: 3206888
registers.edx: 8
registers.ebx: 0
registers.esi: 38586604
registers.ecx: 0
exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 dc b8 65 2b 8d 3d e9
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x44a31d2

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:2436741779&cup2hreq=3a4a9529f9ec8e7080385f2323a6a2129c83fff06ad873f0bedac3b7ce514580

Performs some HTTP requests (4 个事件)

request	HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request	HEAD http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619936174&mv=m&mvi=1&pl=23&shardbypass=yes
request	HEAD http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=7e7ed8638c546d24&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619936174&mv=m
request	POST https://update.googleapis.com/service/update2?cup2key=10:2436741779&cup2hreq=3a4a9529f9ec8e7080385f2323a6a2129c83fff06ad873f0bedac3b7ce514580

Sends data using the HTTP POST Method (1 个事件)

request

POST https://update.googleapis.com/service/update2?cup2key=10:2436741779&cup2hreq=3a4a9529f9ec8e7080385f2323a6a2129c83fff06ad873f0bedac3b7ce514580

Allocates read-write-execute memory (usually to unpack itself) (50 out of 132 个事件)

Time & API	Arguments	Status
1619948414.826531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00440000	success
1619948414.826531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004b0000	success
1619948415.170531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00760000	success
1619948415.170531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00850000	success
1619948415.264531 NtProtectVirtualMemory	process_identifier: 2984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e71000	success
1619948415.404531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x021e0000	success
1619948415.404531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023b0000	success
1619948415.420531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0044a000	success
1619948415.420531 NtProtectVirtualMemory	process_identifier: 2984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73e72000	success
1619948415.420531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00442000	success
1619948415.623531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00452000	success
1619948415.732531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00475000	success
1619948415.732531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047b000	success
1619948415.732531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00477000	success
1619948415.811531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00453000	success
1619948415.857531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0045c000	success
1619948416.217531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00454000	success
1619948416.217531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00456000	success
1619948416.342531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00650000	success
1619948416.436531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00457000	success
1619948416.498531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023b1000	success
1619948416.514531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023b2000	success
1619948416.561531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00458000	success
1619948416.561531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00466000	success
1619948416.576531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00651000	success
1619948416.576531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023b3000	success
1619948416.576531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023b4000	success
1619948416.623531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023b5000	success
1619948416.623531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023b6000	success
1619948416.623531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023ba000	success
1619948416.639531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00652000	success
1619948416.639531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0046a000	success
1619948416.639531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00467000	success
1619948416.732531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00459000	success
1619948416.732531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00810000	success
1619948416.873531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00811000	success
1619948416.920531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00812000	success
1619948416.936531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00653000	success
1619948416.951531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0045d000	success
1619948416.951531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00813000	success
1619948416.967531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 12288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00654000	success
1619948454.982531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00657000	success
1619948455.186531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00658000	success
1619948455.279531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0044c000	success
1619948455.326531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00659000	success
1619948455.389531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00814000	success
1619948455.404531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023cb000	success
1619948455.404531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023cc000	success
1619948455.404531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023cd000	success
1619948455.404531 NtAllocateVirtualMemory	process_identifier: 2984 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x023ce000	success

Creates a suspicious process (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WpdwJAQO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp545.tmp"
cmdline	schtasks.exe /Create /TN "Updates\WpdwJAQO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp545.tmp"

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948461.201531 ShellExecuteExW	parameters: /Create /TN "Updates\WpdwJAQO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp545.tmp" filepath: schtasks.exe filepath_r: schtasks.exe show_type: 0	success	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 个事件)

entropy

7.111620159281303

section

{'size_of_data': '0x00080000', 'virtual_address': '0x00002000', 'entropy': 7.111620159281303, 'name': '.text', 'virtual_size': '0x0007ffe8'}

description

A section with a high entropy has been found

entropy

0.9961089494163424

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619965162.731374 LookupPrivilegeValueW	system_name: privilege_name: SeDebugPrivilege	success	1	0

Uses Windows utilities for basic Windows functionality (2 个事件)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WpdwJAQO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp545.tmp"
cmdline	schtasks.exe /Create /TN "Updates\WpdwJAQO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp545.tmp"

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Allocates execute permission to another process indicative of possible code injection (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948463.873531 NtAllocateVirtualMemory	process_identifier: 3044 region_size: 319488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000378 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0	0

A process attempted to delay the analysis task. (1 个事件)

description

dc29815abecb45095a5ffe4a92b8c4a3.exe tried to sleep 2728233 seconds, actually delayed analysis time by 2728233 seconds

Deletes executed files from disk (1 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp545.tmp

Potential code injection by writing to the memory of another process (4 个事件)

Time & API	Arguments	Status	Return
1619948463.873531 WriteProcessMemory	process_identifier: 3044 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL~{Þ^àz> @ à@ðK À H.textDx z `.rsrc \|@@.relocÀ@B process_handle: 0x00000378 base_address: 0x00400000	success	1
1619948463.873531 WriteProcessMemory	process_identifier: 3044 buffer: 0HX ´´4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoð000004b0,FileDescription 0FileVersion0.0.0.0p'InternalNamevMGXROoGxzgDfjNcnFLRAONzErWgvlJnyJ.exe(LegalCopyright x'OriginalFilenamevMGXROoGxzgDfjNcnFLRAONzErWgvlJnyJ.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00000378 base_address: 0x0044a000	success	1
1619948463.873531 WriteProcessMemory	process_identifier: 3044 buffer: @8 process_handle: 0x00000378 base_address: 0x0044c000	success	1
1619948463.873531 WriteProcessMemory	process_identifier: 3044 buffer: @ process_handle: 0x00000378 base_address: 0x7efde008	success	1

Code injection by writing an executable or DLL to the memory of another process (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619948463.873531 WriteProcessMemory	process_identifier: 3044 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL~{Þ^àz> @ à@ðK À H.textDx z `.rsrc \|@@.relocÀ@B process_handle: 0x00000378 base_address: 0x00400000	success	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2984 called NtSetContextThread to modify thread in remote process 3044
1619948463.873531 NtSetContextThread	thread_handle: 0x00000320 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4495422 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3044	success	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2984 resumed a thread in remote process 3044
1619948464.107531 NtResumeThread	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 3044	success	0	0

Generates some ICMP traffic

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)

dead_host

172.217.27.142:443

Executed a process and injected code into it, probably while unpacking (21 个事件)

Time & API	Arguments	Status	Return
1619948415.404531 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 2984	success	0
1619948415.420531 NtResumeThread	thread_handle: 0x00000128 suspend_count: 1 process_identifier: 2984	success	0
1619948415.467531 NtResumeThread	thread_handle: 0x00000170 suspend_count: 1 process_identifier: 2984	success	0
1619948461.201531 CreateProcessInternalW	thread_identifier: 3008 thread_handle: 0x0000032c process_identifier: 2548 current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WpdwJAQO" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp545.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) process_handle: 0x00000368 inherit_handles: 0	success	1
1619948463.857531 CreateProcessInternalW	thread_identifier: 2960 thread_handle: 0x00000320 process_identifier: 3044 current_directory: filepath: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\dc29815abecb45095a5ffe4a92b8c4a3.exe track: 1 command_line: "{path}" filepath_r: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\dc29815abecb45095a5ffe4a92b8c4a3.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) process_handle: 0x00000378 inherit_handles: 0	success	1
1619948463.857531 NtGetContextThread	thread_handle: 0x00000320	success	0
1619948463.873531 NtAllocateVirtualMemory	process_identifier: 3044 region_size: 319488 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0x00000378 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x00400000	success	0
1619948463.873531 WriteProcessMemory	process_identifier: 3044 buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL~{Þ^àz> @ à@ðK À H.textDx z `.rsrc \|@@.relocÀ@B process_handle: 0x00000378 base_address: 0x00400000	success	1
1619948463.873531 WriteProcessMemory	process_identifier: 3044 buffer: process_handle: 0x00000378 base_address: 0x00402000	success	1
1619948463.873531 WriteProcessMemory	process_identifier: 3044 buffer: 0HX ´´4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoð000004b0,FileDescription 0FileVersion0.0.0.0p'InternalNamevMGXROoGxzgDfjNcnFLRAONzErWgvlJnyJ.exe(LegalCopyright x'OriginalFilenamevMGXROoGxzgDfjNcnFLRAONzErWgvlJnyJ.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 process_handle: 0x00000378 base_address: 0x0044a000	success	1
1619948463.873531 WriteProcessMemory	process_identifier: 3044 buffer: @8 process_handle: 0x00000378 base_address: 0x0044c000	success	1
1619948463.873531 WriteProcessMemory	process_identifier: 3044 buffer: @ process_handle: 0x00000378 base_address: 0x7efde008	success	1
1619948463.873531 NtSetContextThread	thread_handle: 0x00000320 registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4495422 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 process_identifier: 3044	success	0
1619948464.107531 NtResumeThread	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 3044	success	0
1619948464.107531 NtResumeThread	thread_handle: 0x0000038c suspend_count: 1 process_identifier: 2984	success	0
1619965150.637374 NtResumeThread	thread_handle: 0x000000d8 suspend_count: 1 process_identifier: 3044	success	0
1619965150.637374 NtResumeThread	thread_handle: 0x00000120 suspend_count: 1 process_identifier: 3044	success	0
1619965150.684374 NtResumeThread	thread_handle: 0x000001a4 suspend_count: 1 process_identifier: 3044	success	0
1619965166.559374 NtResumeThread	thread_handle: 0x000002e0 suspend_count: 1 process_identifier: 3044	success	0
1619965166.684374 NtResumeThread	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 3044	success	0
1619965168.684374 NtResumeThread	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 3044	success	0

File has been identified by 52 AntiVirus engines on VirusTotal as malicious (50 out of 52 个事件)

MicroWorld-eScan	Trojan.GenericKD.34181083
FireEye	Generic.mg.dc29815abecb4509
McAfee	Fareit-FXH!DC29815ABECB
Cylance	Unsafe
Zillya	Trojan.Kryptik.Win32.2236643
Sangfor	Malware
K7AntiVirus	Trojan ( 0056aa7b1 )
Alibaba	Backdoor:MSIL/Masslogger.9594afc3
K7GW	Trojan ( 0056aa7b1 )
Cybereason	malicious.a305dd
Arcabit	Trojan.Generic.D2098FDB
TrendMicro	Backdoor.MSIL.ANDROM.THGAFBO
F-Prot	W32/MSIL_Kryptik.BCZ.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Backdoor.MSIL.Androm.gen
BitDefender	Trojan.GenericKD.34181083
Avast	Win32:DropperX-gen [Drp]
Tencent	Msil.Backdoor.Androm.Wrqf
Ad-Aware	Trojan.GenericKD.34181083
Sophos	Mal/Generic-S
F-Secure	Trojan.TR/Kryptik.vvjfl
DrWeb	Trojan.DownLoader33.65040
VIPRE	Trojan.Win32.Generic!BT
Invincea	heuristic
Emsisoft	Trojan.Crypt (A)
Cyren	W32/MSIL_Kryptik.BCZ.gen!Eldorado
Webroot	W32.Trojan.Gen
Avira	TR/Kryptik.vvjfl
Antiy-AVL	Trojan[Backdoor]/MSIL.Androm
Microsoft	Trojan:MSIL/Masslogger.AR!MTB
Endgame	malicious (high confidence)
AegisLab	Trojan.MSIL.Androm.m!c
ZoneAlarm	HEUR:Backdoor.MSIL.Androm.gen
GData	Trojan.GenericKD.34181083
Cynet	Malicious (score: 85)
AhnLab-V3	Trojan/Win32.Infostealer.R344975
BitDefenderTheta	Gen:NN.ZemsilCO.34144.Gm0@aekm4Ui
ALYac	Trojan.GenericKD.34181083
MAX	malware (ai score=86)
Malwarebytes	Trojan.MalPack.PNG.Generic
ESET-NOD32	a variant of MSIL/Kryptik.WWR
TrendMicro-HouseCall	Backdoor.MSIL.ANDROM.THGAFBO
Yandex	Trojan.AvsArher.bTJEKx
Ikarus	Trojan-Spy.MassLogger
eGambit	Unsafe.AI_Score_87%
Fortinet	MSIL/Kryptik.WXF!tr
AVG	Win32:DropperX-gen [Drp]
Panda	Trj/GdSda.A

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

2020-07-16 05:43:21

Imports

Library mscoree.dll:

• 0x402000 _CorExeMain

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
r4---sn-j5o76n7l.gvt1.com	A 58.63.233.69 CNAME r4.sn-j5o76n7l.gvt1.com	58.63.233.69
time.windows.com	A 20.189.79.72 CNAME time.microsoft.akadns.net
redirector.gvt1.com	A 203.208.41.33	203.208.41.33
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
clients2.google.com	CNAME clients.l.google.com A 172.217.27.142	172.217.27.142
r1---sn-j5o76n7e.gvt1.com	CNAME r1.sn-j5o76n7e.gvt1.com A 113.108.239.130	113.108.239.130
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
update.googleapis.com	A 203.208.40.66	203.208.40.66
teredo.ipv6.microsoft.com		127.0.0.1

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49191	113.108.239.130 r1---sn-j5o76n7e.gvt1.com	80
192.168.56.101	49189	203.208.40.66 update.googleapis.com	443
192.168.56.101	49190	203.208.41.33 redirector.gvt1.com	80
192.168.56.101	49192	58.63.233.69 r4---sn-j5o76n7l.gvt1.com	80

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	50568	114.114.114.114	53
192.168.56.101	51808	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57756	114.114.114.114	53
192.168.56.101	58367	114.114.114.114	53
192.168.56.101	60384	114.114.114.114	53
192.168.56.101	61680	114.114.114.114	53
192.168.56.101	62318	114.114.114.114	53
192.168.56.101	63429	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	123	20.189.79.72 time.windows.com	123
192.168.56.101	49235	224.0.0.252	5355
192.168.56.101	49713	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355
192.168.56.101	51963	224.0.0.252	5355
192.168.56.101	53237	224.0.0.252	5355
192.168.56.101	56804	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: redirector.gvt1.com
http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619936174&mv=m&mvi=1&pl=23&shardbypass=yes	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619936174&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r1---sn-j5o76n7e.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=7e7ed8638c546d24&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619936174&mv=m	HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=7e7ed8638c546d24&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619936174&mv=m HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.5 X-Old-UID: cnt=0 X-Last-HR: 0x0 X-Last-HTTP-Status-Code: 0 X-Retry-Count: 0 X-HTTP-Attempts: 1 Host: r4---sn-j5o76n7l.gvt1.com

URI

Data

http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com

http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619936174&mv=m&mvi=1&pl=23&shardbypass=yes

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619936174&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7e.gvt1.com

http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=7e7ed8638c546d24&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619936174&mv=m

HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=7e7ed8638c546d24&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619936174&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.