10.0
0-day
2 个模型检测该样本为恶意!
重新分析
更多

4070819aaf29bf0997834e6456a56a54801e2edde3e241c0195f496da28c1b6e

474a8700f68a3b2914d8b6eadc205afa.exe

分析耗时

99s

最近分析

文件大小

347.4KB
静态报毒 动态报毒 WEBCOMPANION
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20190422 6.0.6.653
Alibaba 20190402 0.3.0.4
Baidu 20190318 1.0.0.2
Avast 20190422 18.4.3895.0
Tencent 20190422 1.0.0.1
Kingsoft 20190422 2013.8.14.323
CrowdStrike 20190212 1.0
静态指标
Queries for the computername (23 个事件)
Time & API Arguments Status Return Repeated
1620974588.735875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974591.392875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974593.095875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974594.501875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974595.876875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974597.313875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974597.392875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974597.438875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974597.548875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974597.626875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974597.704875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974597.751875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974597.829875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974597.938875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974598.017875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974598.079875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974598.188875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974598.267875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974598.329875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974598.407875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974598.532875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974598.657875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1620974599.423875
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (11 个事件)
Time & API Arguments Status Return Repeated
1620974557.267875
IsDebuggerPresent
failed 0 0
1620974604.985875
IsDebuggerPresent
failed 0 0
1620974605.095875
IsDebuggerPresent
failed 0 0
1620974605.188875
IsDebuggerPresent
failed 0 0
1620974605.329875
IsDebuggerPresent
failed 0 0
1620974605.563875
IsDebuggerPresent
failed 0 0
1620974605.657875
IsDebuggerPresent
failed 0 0
1620974605.907875
IsDebuggerPresent
failed 0 0
1620974605.907875
IsDebuggerPresent
failed 0 0
1620974605.970875
IsDebuggerPresent
failed 0 0
1620974615.173875
IsDebuggerPresent
failed 0 0
This executable is signed
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620974609.610875
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .sxdata
The executable uses a known packer (1 个事件)
packer Armadillo v1.71
One or more processes crashed (4 个事件)
Time & API Arguments Status Return Repeated
1620974593.048875
__exception__
stacktrace: 
0x58617a6
0x5861605
0x58614e7
0x58612b0
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x11ff1 mscorwks+0x193cb @ 0x73f493cb
CoUninitializeEE-0x11fb0 mscorwks+0x1940c @ 0x73f4940c
CoUninitializeEE-0x11f43 mscorwks+0x19479 @ 0x73f49479
CoUninitializeEE-0x8c99 mscorwks+0x22723 @ 0x73f52723
CoUninitializeEE-0x8db6 mscorwks+0x22606 @ 0x73f52606
CoUninitializeEE-0x1b6a7 mscorwks+0xfd15 @ 0x73f3fd15
CoUninitializeEE-0x1b389 mscorwks+0x10033 @ 0x73f40033
0xbd083e
0x586014b
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
NGenCreateNGenWorker+0x1f53 GetMetaDataPublicInterfaceFromInternal-0xdaac mscorwks+0xfeb34 @ 0x7402eb34
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x750a55ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75117f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75114de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4254024
registers.edi: 46121296
registers.eax: 0
registers.ebp: 4254068
registers.edx: 158
registers.ebx: 4254260
registers.esi: 46142816
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 d8 eb 13 e8 2d 03 6d 6e 8b
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x58618f8
success 0 0
1620974594.454875
__exception__
stacktrace: 
0x58617cb
0x5861605
0x58614e7
0x58612b0
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x11ff1 mscorwks+0x193cb @ 0x73f493cb
CoUninitializeEE-0x11fb0 mscorwks+0x1940c @ 0x73f4940c
CoUninitializeEE-0x11f43 mscorwks+0x19479 @ 0x73f49479
CoUninitializeEE-0x8c99 mscorwks+0x22723 @ 0x73f52723
CoUninitializeEE-0x8db6 mscorwks+0x22606 @ 0x73f52606
CoUninitializeEE-0x1b6a7 mscorwks+0xfd15 @ 0x73f3fd15
CoUninitializeEE-0x1b389 mscorwks+0x10033 @ 0x73f40033
0xbd083e
0x586014b
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
NGenCreateNGenWorker+0x1f53 GetMetaDataPublicInterfaceFromInternal-0xdaac mscorwks+0xfeb34 @ 0x7402eb34
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x750a55ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75117f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75114de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4254024
registers.edi: 46121296
registers.eax: 0
registers.ebp: 4254068
registers.edx: 158
registers.ebx: 4254260
registers.esi: 46177812
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 d8 eb 13 e8 2d 03 6d 6e 8b
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x58618f8
success 0 0
1620974597.485875
__exception__
stacktrace: 
0x58619bf
0x586162a
0x58614e7
0x58612b0
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x11ff1 mscorwks+0x193cb @ 0x73f493cb
CoUninitializeEE-0x11fb0 mscorwks+0x1940c @ 0x73f4940c
CoUninitializeEE-0x11f43 mscorwks+0x19479 @ 0x73f49479
CoUninitializeEE-0x8c99 mscorwks+0x22723 @ 0x73f52723
CoUninitializeEE-0x8db6 mscorwks+0x22606 @ 0x73f52606
CoUninitializeEE-0x1b6a7 mscorwks+0xfd15 @ 0x73f3fd15
CoUninitializeEE-0x1b389 mscorwks+0x10033 @ 0x73f40033
0xbd083e
0x586014b
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
NGenCreateNGenWorker+0x1f53 GetMetaDataPublicInterfaceFromInternal-0xdaac mscorwks+0xfeb34 @ 0x7402eb34
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x750a55ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75117f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75114de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4254024
registers.edi: 46229464
registers.eax: 0
registers.ebp: 4254068
registers.edx: 158
registers.ebx: 4254260
registers.esi: 46266916
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 d8 eb 13 e8 2d 03 6d 6e 8b
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x58618f8
success 0 0
1620974597.782875
__exception__
stacktrace: 
0x5861a56
0x586164f
0x58614e7
0x58612b0
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x11ff1 mscorwks+0x193cb @ 0x73f493cb
CoUninitializeEE-0x11fb0 mscorwks+0x1940c @ 0x73f4940c
CoUninitializeEE-0x11f43 mscorwks+0x19479 @ 0x73f49479
CoUninitializeEE-0x8c99 mscorwks+0x22723 @ 0x73f52723
CoUninitializeEE-0x8db6 mscorwks+0x22606 @ 0x73f52606
CoUninitializeEE-0x1b6a7 mscorwks+0xfd15 @ 0x73f3fd15
CoUninitializeEE-0x1b389 mscorwks+0x10033 @ 0x73f40033
0xbd083e
0x586014b
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
NGenCreateNGenWorker+0x1f53 GetMetaDataPublicInterfaceFromInternal-0xdaac mscorwks+0xfeb34 @ 0x7402eb34
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x750a55ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x75117f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x75114de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 4254020
registers.edi: 46323644
registers.eax: 0
registers.ebp: 4254064
registers.edx: 158
registers.ebx: 4254260
registers.esi: 46351684
registers.ecx: 0
exception.instruction_r: 8b 01 ff 50 28 89 45 d8 eb 13 e8 2d 03 6d 6e 8b
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x58618f8
success 0 0
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features POST method with no referer header, POST method with no useragent header suspicious_request POST http://wc-tracking.lavasoft.com/Install.asmx
Performs some HTTP requests (4 个事件)
request GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request GET http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D
request GET http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEHbufvBDgh52FD6VEFUzieE%3D
request POST http://wc-tracking.lavasoft.com/Install.asmx
Sends data using the HTTP POST Method (1 个事件)
request POST http://wc-tracking.lavasoft.com/Install.asmx
Allocates read-write-execute memory (usually to unpack itself) (50 out of 134 个事件)
Time & API Arguments Status Return Repeated
1620974556.657875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x750a1000
success 0 0
1620974556.688875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 1048576
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00b10000
success 0 0
1620974556.688875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00bd0000
success 0 0
1620974556.954875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1620974556.954875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75044000
success 0 0
1620974557.142875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f31000
success 0 0
1620974557.282875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004da000
success 0 0
1620974557.282875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73f32000
success 0 0
1620974557.282875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004d2000
success 0 0
1620974557.563875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e2000
success 0 0
1620974557.642875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x64021000
success 0 0
1620974557.642875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75c41000
success 0 0
1620974557.642875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x747b1000
success 0 0
1620974557.751875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74fc1000
success 0 0
1620974557.907875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76851000
success 0 0
1620974558.095875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74771000
success 0 0
1620974558.095875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74751000
success 0 0
1620974558.142875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74711000
success 0 0
1620974558.485875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x746d1000
success 0 0
1620974558.485875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x76881000
success 0 0
1620974558.532875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75091000
success 0 0
1620974558.626875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x746b1000
success 0 0
1620974558.657875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x746a1000
success 0 0
1620974558.985875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74641000
success 0 0
1620974558.985875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x745f1000
success 0 0
1620974558.985875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x77531000
success 0 0
1620974559.001875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x75a01000
success 0 0
1620974559.001875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x745e1000
success 0 0
1620974559.032875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x745a1000
success 0 0
1620974559.063875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x74561000
success 0 0
1620974564.376875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73ee1000
success 0 0
1620974583.470875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e3000
success 0 0
1620974583.517875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0072b000
success 0 0
1620974583.517875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00727000
success 0 0
1620974584.595875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e4000
success 0 0
1620974584.595875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e5000
success 0 0
1620974584.642875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e6000
success 0 0
1620974584.704875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ec000
success 0 0
1620974584.798875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004ea000
success 0 0
1620974585.126875
NtProtectVirtualMemory
process_identifier: 2764
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x70081000
success 0 0
1620974585.501875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x05860000
success 0 0
1620974585.563875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e8000
success 0 0
1620974585.704875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004f6000
success 0 0
1620974585.720875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0071a000
success 0 0
1620974585.720875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00725000
success 0 0
1620974585.735875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004fa000
success 0 0
1620974585.735875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004f7000
success 0 0
1620974586.110875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00712000
success 0 0
1620974586.110875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004e9000
success 0 0
1620974586.173875
NtAllocateVirtualMemory
process_identifier: 2764
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x004db000
success 0 0
Creates executable files on the filesystem (12 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\en-US\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\WebCompanionInstaller.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\de-DE\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\ja-JP\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\it-IT\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\zh-CHS\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\ru-RU\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\fr-CA\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\es-ES\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\pt-BR\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\tr-TR\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\ICSharpCode.SharpZipLib.dll
Drops an executable to the user AppData folder (12 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\zh-CHS\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\ICSharpCode.SharpZipLib.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\ja-JP\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\pt-BR\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\en-US\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\WebCompanionInstaller.exe
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\fr-CA\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\ru-RU\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\es-ES\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\tr-TR\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\it-IT\WebCompanionInstaller.resources.dll
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\7zS5E76.tmp\de-DE\WebCompanionInstaller.resources.dll
Executes one or more WMI queries (1 个事件)
wmi SELECT * FROM Win32_OperatingSystem
File has been identified by 2 AntiVirus engines on VirusTotal as malicious (2 个事件)
DrWeb Program.Unwanted.3151
ESET-NOD32 a variant of MSIL/WebCompanion.C potentially unwanted
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620974559.095875
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 个事件)
Time & API Arguments Status Return Repeated
1620974605.267875
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
网络通信
Communicates with host for which no DNS query was performed (1 个事件)
host 172.217.24.14
Attempts to identify installed AV products by installation directory (5 个事件)
file C:\ProgramData\Lavasoft\Web Companion\Options
file C:\ProgramData\Lavasoft
file C:\ProgramData\Lavasoft\Web Companion
file C:\ProgramData\Lavasoft\Web Companion\Options\Statistics.txt
file C:\ProgramData\Lavasoft\Web Companion\
Looks for the Windows Idle Time to determine the uptime (1 个事件)
Time & API Arguments Status Return Repeated
1620974590.688875
NtQuerySystemInformation
information_class: 8 (SystemProcessorPerformanceInformation)
success 0 0
Attempts to create or modify system certificates (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob
Generates some ICMP traffic
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 142.250.66.110:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2010-11-19 00:27:35

Imports

Library OLEAUT32.dll:
0x41b190 VariantClear
0x41b194 SysAllocString
Library USER32.dll:
0x41b1a4 SendMessageA
0x41b1a8 SetTimer
0x41b1ac DialogBoxParamW
0x41b1b0 DialogBoxParamA
0x41b1b4 SetWindowLongA
0x41b1b8 GetWindowLongA
0x41b1bc SetWindowTextW
0x41b1c0 LoadIconA
0x41b1c4 LoadStringW
0x41b1c8 LoadStringA
0x41b1cc CharUpperW
0x41b1d0 CharUpperA
0x41b1d4 DestroyWindow
0x41b1d8 EndDialog
0x41b1dc PostMessageA
0x41b1e0 ShowWindow
0x41b1e4 MessageBoxW
0x41b1e8 GetDlgItem
0x41b1ec KillTimer
0x41b1f0 SetWindowTextA
Library SHELL32.dll:
0x41b19c ShellExecuteExA
Library KERNEL32.dll:
0x41b000 GetStringTypeW
0x41b004 GetStringTypeA
0x41b008 LCMapStringW
0x41b00c LCMapStringA
0x41b018 GetProcAddress
0x41b01c GetOEMCP
0x41b020 GetACP
0x41b024 GetCPInfo
0x41b028 IsBadCodePtr
0x41b02c IsBadReadPtr
0x41b030 GetFileType
0x41b034 SetHandleCount
0x41b04c HeapSize
0x41b050 GetCurrentProcess
0x41b054 TerminateProcess
0x41b058 IsBadWritePtr
0x41b05c HeapCreate
0x41b060 HeapDestroy
0x41b06c TlsAlloc
0x41b070 ExitProcess
0x41b074 GetVersion
0x41b078 GetCommandLineA
0x41b07c GetStartupInfoA
0x41b080 GetModuleHandleA
0x41b084 WaitForSingleObject
0x41b088 CloseHandle
0x41b08c CreateProcessA
0x41b094 GetCommandLineW
0x41b098 GetVersionExA
0x41b0a8 MultiByteToWideChar
0x41b0ac WideCharToMultiByte
0x41b0b0 GetLastError
0x41b0b4 LoadLibraryA
0x41b0b8 AreFileApisANSI
0x41b0bc GetModuleFileNameA
0x41b0c0 GetModuleFileNameW
0x41b0c4 LocalFree
0x41b0c8 FormatMessageA
0x41b0cc FormatMessageW
0x41b0d4 SetFileTime
0x41b0d8 CreateFileW
0x41b0dc SetLastError
0x41b0e0 SetFileAttributesA
0x41b0e4 RemoveDirectoryA
0x41b0e8 SetFileAttributesW
0x41b0ec RemoveDirectoryW
0x41b0f0 CreateDirectoryA
0x41b0f4 CreateDirectoryW
0x41b0f8 DeleteFileA
0x41b0fc DeleteFileW
0x41b100 lstrlenA
0x41b104 GetFullPathNameA
0x41b108 GetFullPathNameW
0x41b110 GetTempPathA
0x41b114 GetTempFileNameA
0x41b118 FindClose
0x41b11c FindFirstFileA
0x41b120 FindFirstFileW
0x41b124 FindNextFileA
0x41b128 CreateFileA
0x41b12c GetFileSize
0x41b130 SetFilePointer
0x41b134 ReadFile
0x41b138 WriteFile
0x41b13c SetEndOfFile
0x41b140 GetStdHandle
0x41b148 Sleep
0x41b14c VirtualAlloc
0x41b150 VirtualFree
0x41b154 CreateEventA
0x41b158 SetEvent
0x41b15c ResetEvent
0x41b164 RtlUnwind
0x41b168 RaiseException
0x41b16c HeapAlloc
0x41b170 HeapFree
0x41b174 HeapReAlloc
0x41b178 CreateThread
0x41b17c GetCurrentThreadId
0x41b180 TlsSetValue
0x41b184 TlsGetValue
0x41b188 ExitThread

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49178 124.225.105.97 www.download.windowsupdate.com 80
192.168.56.101 49183 23.52.27.27 sv.symcd.com 80
192.168.56.101 49184 23.52.27.27 sv.symcd.com 80
192.168.56.101 49185 64.18.87.81 wc-tracking.lavasoft.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 50002 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 55169 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 57874 114.114.114.114 53
192.168.56.101 58367 114.114.114.114 53
192.168.56.101 62144 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49235 224.0.0.252 5355
192.168.56.101 50534 224.0.0.252 5355
192.168.56.101 51963 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 53237 224.0.0.252 5355
192.168.56.101 53657 224.0.0.252 5355
192.168.56.101 54260 224.0.0.252 5355
192.168.56.101 56743 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://s2.symcb.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCED141%2Fl2SWCyYX308B7Khio%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: s2.symcb.com
http://sv.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEHbufvBDgh52FD6VEFUzieE%3D 
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQe6LNDJdqx%2BJOp7hVgTeaGFJ%2FCQgQUljtT8Hkzl699g%2B8uK8zKt4YecmYCEHbufvBDgh52FD6VEFUzieE%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: sv.symcd.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
http://wc-tracking.lavasoft.com/Install.asmx 
POST /Install.asmx HTTP/1.1
Content-Type: text/xml; charset=utf-8
SOAPAction: "http://tempuri.org/Progress"
Host: wc-tracking.lavasoft.com
Content-Length: 734
Expect: 100-continue
Connection: Keep-Alive
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 19 Apr 2021 20:17:25 GMT
If-None-Match: "80f8835935d71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.