14.6
0-day
48 个模型检测该样本为恶意!
重新分析
更多

f3c359459e4053699435535a4db8eed60a69ea9ebe8330626263fc6f9c1a8729

df7234080db7649371e96c68d1ab4364.exe

分析耗时

128s

最近分析

文件大小

487.5KB
静态报毒 动态报毒 AGENSLA AI SCORE=82 ATTRIBUTE BLUTEAL BTT2ZZ CONFIDENCE ELDORADO EU0@AYUCLZB FAREIT GDSDA GENERICKD GENERICKDZ HIGH CONFIDENCE HIGHCONFIDENCE IGENT KRYPTIK MALICIOUS PE MALWARE@#2ZTYQVJQOMPU0 NANOCORE R339415 REMCOS SCORE STATIC AI TROJANPSW TROJANX TSCOPE UNSAFE VDMEK YAKBEEXMSIL ZEMSILF 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee Fareit-FUE!DF7234080DB7 20201211 6.0.6.653
Alibaba TrojanPSW:MSIL/Nanocore.ff6f5a3e 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast Win32:TrojanX-gen [Trj] 20201210 21.1.5827.0
Kingsoft 20201211 2017.9.26.565
CrowdStrike win/malicious_confidence_90% (W) 20190702 1.0
静态指标
Queries for the computername (1 个事件)
Time & API Arguments Status Return Repeated
1619970448.747875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (50 out of 101 个事件)
Time & API Arguments Status Return Repeated
1619948416.551074
IsDebuggerPresent
failed 0 0
1619948416.566074
IsDebuggerPresent
failed 0 0
1619948420.738074
IsDebuggerPresent
failed 0 0
1619948421.238074
IsDebuggerPresent
failed 0 0
1619948421.785074
IsDebuggerPresent
failed 0 0
1619948422.238074
IsDebuggerPresent
failed 0 0
1619948422.785074
IsDebuggerPresent
failed 0 0
1619948423.238074
IsDebuggerPresent
failed 0 0
1619948423.785074
IsDebuggerPresent
failed 0 0
1619948424.238074
IsDebuggerPresent
failed 0 0
1619948424.785074
IsDebuggerPresent
failed 0 0
1619948425.238074
IsDebuggerPresent
failed 0 0
1619948425.785074
IsDebuggerPresent
failed 0 0
1619948426.238074
IsDebuggerPresent
failed 0 0
1619948426.785074
IsDebuggerPresent
failed 0 0
1619948427.238074
IsDebuggerPresent
failed 0 0
1619948427.785074
IsDebuggerPresent
failed 0 0
1619948428.238074
IsDebuggerPresent
failed 0 0
1619948428.785074
IsDebuggerPresent
failed 0 0
1619948429.238074
IsDebuggerPresent
failed 0 0
1619948429.785074
IsDebuggerPresent
failed 0 0
1619948430.238074
IsDebuggerPresent
failed 0 0
1619948430.785074
IsDebuggerPresent
failed 0 0
1619948431.238074
IsDebuggerPresent
failed 0 0
1619948431.785074
IsDebuggerPresent
failed 0 0
1619948432.238074
IsDebuggerPresent
failed 0 0
1619948432.785074
IsDebuggerPresent
failed 0 0
1619948433.238074
IsDebuggerPresent
failed 0 0
1619948433.785074
IsDebuggerPresent
failed 0 0
1619948434.238074
IsDebuggerPresent
failed 0 0
1619948434.785074
IsDebuggerPresent
failed 0 0
1619948435.238074
IsDebuggerPresent
failed 0 0
1619948435.785074
IsDebuggerPresent
failed 0 0
1619948436.238074
IsDebuggerPresent
failed 0 0
1619948436.785074
IsDebuggerPresent
failed 0 0
1619948437.238074
IsDebuggerPresent
failed 0 0
1619948437.785074
IsDebuggerPresent
failed 0 0
1619948438.238074
IsDebuggerPresent
failed 0 0
1619948438.785074
IsDebuggerPresent
failed 0 0
1619948439.238074
IsDebuggerPresent
failed 0 0
1619948439.785074
IsDebuggerPresent
failed 0 0
1619948440.238074
IsDebuggerPresent
failed 0 0
1619948440.785074
IsDebuggerPresent
failed 0 0
1619948441.238074
IsDebuggerPresent
failed 0 0
1619948441.785074
IsDebuggerPresent
failed 0 0
1619948442.238074
IsDebuggerPresent
failed 0 0
1619948442.785074
IsDebuggerPresent
failed 0 0
1619948443.238074
IsDebuggerPresent
failed 0 0
1619948443.785074
IsDebuggerPresent
failed 0 0
1619948444.238074
IsDebuggerPresent
failed 0 0
Command line console output was observed (1 个事件)
Time & API Arguments Status Return Repeated
1619970449.544875
WriteConsoleW
buffer: 成功: 成功创建计划任务 "Updates\ZFNBzQ"。
console_handle: 0x00000007
success 1 0
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1619948416.582074
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)
section #R|{J%p6
section
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header suspicious_request POST https://update.googleapis.com/service/update2?cup2key=10:781231352&cup2hreq=1bfc3fc97fa8efd3d2e0447dae7c9e461a35b2cdd68c88233f45ce93ad96f1bf
Connects to a Dynamic DNS Domain (1 个事件)
domain dolxxrem.hopto.org
Performs some HTTP requests (5 个事件)
request HEAD http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe
request HEAD http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619941453&mv=m&mvi=1&pl=23&shardbypass=yes
request HEAD http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=b9c27a3c3b2e2115&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619941695&mv=m
request GET http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=b9c27a3c3b2e2115&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619941695&mv=m
request POST https://update.googleapis.com/service/update2?cup2key=10:781231352&cup2hreq=1bfc3fc97fa8efd3d2e0447dae7c9e461a35b2cdd68c88233f45ce93ad96f1bf
Sends data using the HTTP POST Method (1 个事件)
request POST https://update.googleapis.com/service/update2?cup2key=10:781231352&cup2hreq=1bfc3fc97fa8efd3d2e0447dae7c9e461a35b2cdd68c88233f45ce93ad96f1bf
Allocates read-write-execute memory (usually to unpack itself) (50 out of 60 个事件)
Time & API Arguments Status Return Repeated
1619948416.020074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 2293760
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00a30000
success 0 0
1619948416.020074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00c20000
success 0 0
1619948416.395074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 917504
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00570000
success 0 0
1619948416.395074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00610000
success 0 0
1619948416.504074
NtProtectVirtualMemory
process_identifier: 1404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1619948416.551074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 1114112
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00660000
success 0 0
1619948416.551074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00730000
success 0 0
1619948416.566074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0057a000
success 0 0
1619948416.566074
NtProtectVirtualMemory
process_identifier: 1404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1619948416.566074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00572000
success 0 0
1619948416.723074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00582000
success 0 0
1619948416.816074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a5000
success 0 0
1619948416.816074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005ab000
success 0 0
1619948416.816074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x005a7000
success 0 0
1619948416.895074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00583000
success 0 0
1619948416.926074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0058c000
success 0 0
1619948416.941074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00584000
success 0 0
1619948416.988074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00710000
success 0 0
1619948417.176074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00711000
success 0 0
1619948417.254074
NtProtectVirtualMemory
process_identifier: 1404
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 167936
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x009a2000
success 0 0
1619948420.129074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00712000
success 0 0
1619948420.129074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00585000
success 0 0
1619948420.145074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00713000
success 0 0
1619948420.160074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00714000
success 0 0
1619948420.348074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00715000
success 0 0
1619948420.363074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00716000
success 0 0
1619948420.473074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00717000
success 0 0
1619948420.738074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00718000
success 0 0
1619948420.754074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00586000
success 0 0
1619948420.910074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00587000
success 0 0
1619948420.973074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00588000
success 0 0
1619948421.238074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0059a000
success 0 0
1619948421.238074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00597000
success 0 0
1619948421.363074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00719000
success 0 0
1619948421.645074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0058a000
success 0 0
1619948421.645074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0071c000
success 0 0
1619948421.770074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00611000
success 0 0
1619948421.785074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00596000
success 0 0
1619948421.926074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0071d000
success 0 0
1619948454.988074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00589000
success 0 0
1619948455.129074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0071e000
success 0 0
1619948455.176074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e20000
success 0 0
1619948455.176074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e21000
success 0 0
1619948455.191074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04e22000
success 0 0
1619948455.191074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00731000
success 0 0
1619948455.207074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00732000
success 0 0
1619948455.207074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00733000
success 0 0
1619948455.207074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00734000
success 0 0
1619948455.223074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00735000
success 0 0
1619948455.223074
NtAllocateVirtualMemory
process_identifier: 1404
region_size: 12288
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00737000
success 0 0
A process attempted to delay the analysis task. (2 个事件)
description df7234080db7649371e96c68d1ab4364.exe tried to sleep 140 seconds, actually delayed analysis time by 140 seconds
description vbc.exe tried to sleep 244 seconds, actually delayed analysis time by 244 seconds
Steals private information from local Internet browsers (2 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Cookies
file C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Login Data
Creates a suspicious process (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZFNBzQ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp112C.tmp"
cmdline schtasks.exe /Create /TN "Updates\ZFNBzQ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp112C.tmp"
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1619948465.957074
ShellExecuteExW
parameters: /Create /TN "Updates\ZFNBzQ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp112C.tmp"
filepath: schtasks.exe
filepath_r: schtasks.exe
show_type: 0
success 1 0
The binary likely contains encrypted or compressed data indicative of a packer (3 个事件)
entropy 7.9987941015477295 section {'size_of_data': '0x00028200', 'virtual_address': '0x00002000', 'entropy': 7.9987941015477295, 'name': '#R|{J%p6', 'virtual_size': '0x000280c4'} description A section with a high entropy has been found
entropy 7.0596363644349 section {'size_of_data': '0x0004fc00', 'virtual_address': '0x0002c000', 'entropy': 7.0596363644349, 'name': '.text', 'virtual_size': '0x0004fbf8'} description A section with a high entropy has been found
entropy 0.9856115107913669 description Overall entropy of this PE file is high
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1619948417.238074
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
Terminates another process (4 个事件)
Time & API Arguments Status Return Repeated
1619948469.160074
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2216
process_handle: 0x00010ee0
failed 0 0
1619948469.160074
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2216
process_handle: 0x00010ee0
success 0 0
1619948469.504074
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2952
process_handle: 0x00002130
failed 0 0
1619948469.504074
NtTerminateProcess
status_code: 0xffffffff
process_identifier: 2952
process_handle: 0x00002130
success 0 0
Uses Windows utilities for basic Windows functionality (2 个事件)
cmdline "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZFNBzQ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp112C.tmp"
cmdline schtasks.exe /Create /TN "Updates\ZFNBzQ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp112C.tmp"
网络通信
One or more of the buffers contains an embedded PE file (1 个事件)
buffer Buffer with sha1: 8eba23b69aaf99092a334a5201ae09ce57807fef
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Allocates execute permission to another process indicative of possible code injection (3 个事件)
Time & API Arguments Status Return Repeated
1619948468.910074
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00010edc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619948469.254074
NtAllocateVirtualMemory
process_identifier: 2952
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00010ed8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619948469.613074
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00010ee4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
Manipulates memory of a non-child process indicative of process injection (4 个事件)
Process injection Process 1404 manipulating memory of non-child process 2216
Process injection Process 1404 manipulating memory of non-child process 2952
Time & API Arguments Status Return Repeated
1619948468.910074
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00010edc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619948469.254074
NtAllocateVirtualMemory
process_identifier: 2952
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00010ed8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
Potential code injection by writing to the memory of another process (1 个事件)
Time & API Arguments Status Return Repeated
1619948469.613074
WriteProcessMemory
process_identifier: 2996
buffer: @
process_handle: 0x00010ee4
base_address: 0xfffde008
success 1 0
Creates a windows hook that monitors keyboard input (keylogger) (1 个事件)
Time & API Arguments Status Return Repeated
1619970452.888625
SetWindowsHookExA
thread_identifier: 0
callback_function: 0x004051ae
module_address: 0x00000000
hook_identifier: 13 (WH_KEYBOARD_LL)
success 393455 0
Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 个事件)
Process injection Process 1404 called NtSetContextThread to modify thread in remote process 2996
Time & API Arguments Status Return Repeated
1619948469.613074
NtSetContextThread
thread_handle: 0x00002130
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
process_identifier: 2996
success 0 0
Resumed a suspended thread in a remote process potentially indicative of process injection (2 个事件)
Process injection Process 1404 resumed a thread in remote process 2996
Time & API Arguments Status Return Repeated
1619948469.895074
NtResumeThread
thread_handle: 0x00002130
suspend_count: 1
process_identifier: 2996
success 0 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.160.78:443
Executed a process and injected code into it, probably while unpacking (25 个事件)
Time & API Arguments Status Return Repeated
1619948416.566074
NtResumeThread
thread_handle: 0x000000d8
suspend_count: 1
process_identifier: 1404
success 0 0
1619948416.582074
NtResumeThread
thread_handle: 0x00000120
suspend_count: 1
process_identifier: 1404
success 0 0
1619948416.598074
NtResumeThread
thread_handle: 0x00000170
suspend_count: 1
process_identifier: 1404
success 0 0
1619948420.707074
NtResumeThread
thread_handle: 0x00005274
suspend_count: 1
process_identifier: 1404
success 0 0
1619948420.707074
NtResumeThread
thread_handle: 0x00010e2c
suspend_count: 1
process_identifier: 1404
success 0 0
1619948465.957074
CreateProcessInternalW
thread_identifier: 3008
thread_handle: 0x00010ee4
process_identifier: 2548
current_directory: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp
filepath: C:\Windows\System32\schtasks.exe
track: 1
command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZFNBzQ" /XML "C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\tmp112C.tmp"
filepath_r: C:\Windows\System32\schtasks.exe
stack_pivoted: 0
creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT)
process_handle: 0x00002130
inherit_handles: 0
success 1 0
1619948468.895074
CreateProcessInternalW
thread_identifier: 2984
thread_handle: 0x00001414
process_identifier: 2216
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
track: 1
command_line: "{path}"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00010edc
inherit_handles: 0
success 1 0
1619948468.910074
NtGetContextThread
thread_handle: 0x00001414
success 0 0
1619948468.910074
NtAllocateVirtualMemory
process_identifier: 2216
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00010edc
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619948469.254074
CreateProcessInternalW
thread_identifier: 2436
thread_handle: 0x00010ee0
process_identifier: 2952
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
track: 1
command_line: "{path}"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00010ed8
inherit_handles: 0
success 1 0
1619948469.254074
NtGetContextThread
thread_handle: 0x00010ee0
success 0 0
1619948469.254074
NtAllocateVirtualMemory
process_identifier: 2952
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00010ed8
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
failed 3221225496 0
1619948469.613074
CreateProcessInternalW
thread_identifier: 1208
thread_handle: 0x00002130
process_identifier: 2996
current_directory:
filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
track: 1
command_line: "{path}"
filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
stack_pivoted: 0
creation_flags: 4 (CREATE_SUSPENDED)
process_handle: 0x00010ee4
inherit_handles: 0
success 1 0
1619948469.613074
NtGetContextThread
thread_handle: 0x00002130
success 0 0
1619948469.613074
NtAllocateVirtualMemory
process_identifier: 2996
region_size: 131072
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0x00010ee4
allocation_type: 12288 (MEM_COMMIT|MEM_RESERVE)
base_address: 0x00400000
success 0 0
1619948469.613074
WriteProcessMemory
process_identifier: 2996
buffer:
process_handle: 0x00010ee4
base_address: 0x00400000
success 1 0
1619948469.613074
WriteProcessMemory
process_identifier: 2996
buffer:
process_handle: 0x00010ee4
base_address: 0x00401000
success 1 0
1619948469.613074
WriteProcessMemory
process_identifier: 2996
buffer:
process_handle: 0x00010ee4
base_address: 0x00414000
success 1 0
1619948469.613074
WriteProcessMemory
process_identifier: 2996
buffer:
process_handle: 0x00010ee4
base_address: 0x0041a000
success 1 0
1619948469.613074
WriteProcessMemory
process_identifier: 2996
buffer:
process_handle: 0x00010ee4
base_address: 0x0041c000
success 1 0
1619948469.613074
WriteProcessMemory
process_identifier: 2996
buffer:
process_handle: 0x00010ee4
base_address: 0x0041d000
success 1 0
1619948469.613074
WriteProcessMemory
process_identifier: 2996
buffer: @
process_handle: 0x00010ee4
base_address: 0xfffde008
success 1 0
1619948469.613074
NtSetContextThread
thread_handle: 0x00002130
registers.eip: 0
registers.esp: 0
registers.edi: 0
registers.eax: 4274820
registers.ebp: 0
registers.edx: 0
registers.ebx: -139264
registers.esi: 0
registers.ecx: 0
process_identifier: 2996
success 0 0
1619948469.895074
NtResumeThread
thread_handle: 0x00002130
suspend_count: 1
process_identifier: 2996
success 0 0
1619948469.895074
NtResumeThread
thread_handle: 0x0000ce74
suspend_count: 1
process_identifier: 1404
success 0 0
File has been identified by 48 AntiVirus engines on VirusTotal as malicious (48 个事件)
Elastic malicious (high confidence)
MicroWorld-eScan Trojan.GenericKD.43279460
FireEye Generic.mg.df7234080db76493
CAT-QuickHeal Trojan.YakbeexMSIL.ZZ4
McAfee Fareit-FUE!DF7234080DB7
Malwarebytes Trojan.Crypt.Generic
K7AntiVirus Trojan ( 00561f911 )
Alibaba TrojanPSW:MSIL/Nanocore.ff6f5a3e
K7GW Trojan ( 00561f911 )
Arcabit Trojan.Generic.D2946464
Cyren W32/MSIL_Troj.VP.gen!Eldorado
Symantec ML.Attribute.HighConfidence
APEX Malicious
Avast Win32:TrojanX-gen [Trj]
ClamAV Win.Trojan.Generickdz-9783024-0
Kaspersky HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender Trojan.GenericKD.43279460
Paloalto generic.ml
Ad-Aware Trojan.GenericKD.43279460
Emsisoft Trojan.GenericKD.43279460 (B)
Comodo Malware@#2ztyqvjqompu0
F-Secure Trojan.TR/AD.Remcos.vdmek
VIPRE Trojan.Win32.Generic!BT
McAfee-GW-Edition BehavesLike.Win32.Generic.gc
Sophos Mal/Generic-S
Ikarus Trojan-Rat.NanoCore
Webroot W32.Trojan.Gen
Avira TR/AD.Remcos.vdmek
MAX malware (ai score=82)
Antiy-AVL Trojan[PSW]/MSIL.Agensla
Gridinsoft Trojan.Heur!.030130A1
Microsoft Trojan:Win32/Bluteal!rfn
AegisLab Trojan.Multi.Generic.4!c
ZoneAlarm HEUR:Trojan-PSW.MSIL.Agensla.gen
GData Trojan.GenericKD.43279460
Cynet Malicious (score: 100)
AhnLab-V3 Trojan/Win32.Kryptik.R339415
BitDefenderTheta Gen:NN.ZemsilF.34670.Eu0@ayuClzb
VBA32 TScope.Trojan.MSIL
Cylance Unsafe
ESET-NOD32 a variant of MSIL/Kryptik.UXZ
Yandex Trojan.Igent.bTT2ZZ.37
SentinelOne Static AI - Malicious PE
Fortinet MSIL/Kryptik.UXZ!tr
AVG Win32:TrojanX-gen [Trj]
Panda Trj/GdSda.A
CrowdStrike win/malicious_confidence_90% (W)
Qihoo-360 Generic/Trojan.PSW.374
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2020-06-03 21:53:23

Imports

Library mscoree.dll:
0x480000 _CorExeMain

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49229 113.108.239.130 r1---sn-j5o76n7e.gvt1.com 80
192.168.56.101 49228 203.208.41.65 redirector.gvt1.com 80
192.168.56.101 49223 203.208.41.66 update.googleapis.com 443
192.168.56.101 49230 58.63.233.69 r4---sn-j5o76n7l.gvt1.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49713 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 50568 114.114.114.114 53
192.168.56.101 51378 114.114.114.114 53
192.168.56.101 55368 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50002 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355
192.168.56.101 62191 224.0.0.252 5355
192.168.56.101 62912 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://redirector.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: redirector.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=b9c27a3c3b2e2115&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619941695&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=b9c27a3c3b2e2115&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619941695&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=7173-19113
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com
http://r1---sn-j5o76n7e.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619941453&mv=m&mvi=1&pl=23&shardbypass=yes 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?cms_redirect=yes&mh=ms&mip=202.100.214.105&mm=28&mn=sn-j5o76n7e&ms=nvh&mt=1619941453&mv=m&mvi=1&pl=23&shardbypass=yes HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r1---sn-j5o76n7e.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=b9c27a3c3b2e2115&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619941695&mv=m 
HEAD /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=b9c27a3c3b2e2115&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619941695&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com
http://r4---sn-j5o76n7l.gvt1.com/edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=b9c27a3c3b2e2115&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619941695&mv=m 
GET /edgedl/release2/update2/AIUdiWYcaIvMz1IBNCM0PPo_1.3.36.82/GoogleUpdateSetup.exe?mh=ms&mvi=4&pl=17&shardbypass=yes&redirect_counter=1&rm=sn-j5oe7e&req_id=b9c27a3c3b2e2115&cms_redirect=yes&ipbypass=yes&mip=59.50.85.28&mm=28&mn=sn-j5o76n7l&ms=nvh&mt=1619941695&mv=m HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Tue, 13 Apr 2021 03:03:58 GMT
Range: bytes=0-7172
User-Agent: Microsoft BITS/7.5
X-Old-UID: cnt=0
X-Last-HR: 0x0
X-Last-HTTP-Status-Code: 0
X-Retry-Count: 0
X-HTTP-Attempts: 1
Host: r4---sn-j5o76n7l.gvt1.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.