SmartHawk

12.6

0-day

该样本未表现出任何异常！

重新分析

下载样本

67af75c01bb4acaddc56ce6e76b1dc6e571e366e54cd32ce14c1ccf1da175934

4cbeb9527b6f088c844cac4e467276f3.exe

分析耗时

130s

最近分析

文件大小

2.0MB

静态报毒动态报毒

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀时间	查杀版本
Alibaba	20190527	0.3.0.5
CrowdStrike	20190702	1.0
Avast	20210108	21.1.5827.0
Baidu	20190318	1.0.0.2
Kingsoft	20210108	2017.9.26.565
McAfee	20210108	6.0.6.653

Queries for the computername (4 个事件)

Time & API	Arguments	Status	Return
1620749345.822626 GetComputerNameA	computer_name: OSKAR-PC	success	1
1620749396.104249 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620749398.088249 GetComputerNameW	computer_name: OSKAR-PC	success	1
1620749407.151249 GetComputerNameW	computer_name: OSKAR-PC	success	1

Checks if process is being debugged by a debugger (25 个事件)

Time & API	Arguments	Status	Return	Repeated
1620726222.612081 IsDebuggerPresent		failed	0	0
1620748924.904145 IsDebuggerPresent		failed	0	0
1620748925.357145 IsDebuggerPresent		failed	0	0
1620748937.185145 IsDebuggerPresent		failed	0	0
1620748937.466145 IsDebuggerPresent		failed	0	0
1620748937.607145 IsDebuggerPresent		failed	0	0
1620748937.982145 IsDebuggerPresent		failed	0	0
1620748938.091145 IsDebuggerPresent		failed	0	0
1620748938.185145 IsDebuggerPresent		failed	0	0
1620748938.388145 IsDebuggerPresent		failed	0	0
1620748938.419145 IsDebuggerPresent		failed	0	0
1620748939.716145 IsDebuggerPresent		failed	0	0
1620748944.029145 IsDebuggerPresent		failed	0	0
1620748948.591145 IsDebuggerPresent		failed	0	0
1620748949.732145 IsDebuggerPresent		failed	0	0
1620748950.654145 IsDebuggerPresent		failed	0	0
1620748954.638145 IsDebuggerPresent		failed	0	0
1620748956.591145 IsDebuggerPresent		failed	0	0
1620748962.466145 IsDebuggerPresent		failed	0	0
1620748968.747145 IsDebuggerPresent		failed	0	0
1620748970.794145 IsDebuggerPresent		failed	0	0
1620749349.041249 IsDebuggerPresent		failed	0	0
1620748919.52977 IsDebuggerPresent		failed	0	0
1620748919.60777 IsDebuggerPresent		failed	0	0
1620748919.62277 IsDebuggerPresent		failed	0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 个事件)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable is signed

Tries to locate where the browsers are installed (1 个事件)

file	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome.dll

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620749341.041626 GlobalMemoryStatusEx		success	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (3 个事件)

section	CODE
section	DATA
section	BSS

One or more processes crashed (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1620748980.622145 __exception__	stacktrace: 0x182e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 registers.r14: 7734403960320 registers.r9: 0 registers.rcx: 1396 registers.rsi: -6148914691236517206 registers.r10: 0 registers.rbx: 266333936 registers.rdi: 17302540 registers.r11: 266337856 registers.r8: 2009563532 registers.rdx: 552 registers.rbp: 266333792 registers.r15: 266334296 registers.r12: 266334696 registers.rsp: 266333656 registers.rax: 1584640 registers.r13: 7734404907008 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 a3 77 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x182e04	success	0	0
1620749411.744249 __exception__	stacktrace: _vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77da9e31 IsBadReadPtr+0xcc CreateSemaphoreA-0x31 kernel32+0x3d141 @ 0x7637d141 OleCreateFromData+0x195 NdrProxyForwardingFunction4-0x81f ole32+0xc586d @ 0x767b586d ObjectStublessClient31+0x886b STGMEDIUM_UserUnmarshal-0x20e43 ole32+0x998db @ 0x767898db DllRegisterServerInternal+0x3df02 GetPrivateContextsPerfCounters-0x19797 mscorwks+0x94168 @ 0x73fc4168 0x47bfb2 system+0x7a24ea @ 0x713024ea system+0x7a30b4 @ 0x713030b4 system+0x7a2c0a @ 0x71302c0a system+0x7a0de4 @ 0x71300de4 system+0x79e6da @ 0x712fe6da system+0x79f065 @ 0x712ff065 0x7ea54dd 0x7ea5463 system+0x1ce056 @ 0x70d2e056 system+0x1ce12a @ 0x70d2e12a system+0x1f87ce @ 0x70d587ce system+0x203a57 @ 0x70d63a57 system+0x203a06 @ 0x70d63a06 system+0x1f86a0 @ 0x70d586a0 system+0x1f8621 @ 0x70d58621 system+0x1f84fa @ 0x70d584fa 0x7c11a4 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x775a965e SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5 0x6892063 system+0x203c74 @ 0x70d63c74 system+0x1f8671 @ 0x70d58671 system+0x1f84fa @ 0x70d584fa 0x7c11a4 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x775a77c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x775a788a 0x68985f2 system+0x208cee @ 0x70d68cee system+0x208957 @ 0x70d68957 system+0x2087a1 @ 0x70d687a1 system+0x1c5911 @ 0x70d25911 0x5e81898 CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca _CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4 _CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4 _CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x747f55ab CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74737f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74734de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 2156188 registers.edi: 5701632 registers.eax: 4294967288 registers.ebp: 2156232 registers.edx: 0 registers.ebx: 0 registers.esi: 0 registers.ecx: 5701632 exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84 exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58 exception.instruction: cmp byte ptr [eax + 7], 5 exception.module: ntdll.dll exception.exception_code: 0xc0000005 exception.offset: 499288 exception.address: 0x77da9e58	success	0	0

Time & API

Arguments

Status

Return

Repeated

1620748980.622145
__exception__

stacktrace:

0x182e04
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30
0x30

registers.r14: 7734403960320
registers.r9: 0
registers.rcx: 1396
registers.rsi: -6148914691236517206
registers.r10: 0
registers.rbx: 266333936
registers.rdi: 17302540
registers.r11: 266337856
registers.r8: 2009563532
registers.rdx: 552
registers.rbp: 266333792
registers.r15: 266334296
registers.r12: 266334696
registers.rsp: 266333656
registers.rax: 1584640
registers.r13: 7734404907008
exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 a3 77
exception.instruction: call qword ptr [rip + 0x91f16]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x182e04

success

1620749411.744249
__exception__

stacktrace:

_vsnprintf+0xa9 strncpy_s-0x79 ntdll+0x79e31 @ 0x77da9e31
IsBadReadPtr+0xcc CreateSemaphoreA-0x31 kernel32+0x3d141 @ 0x7637d141
OleCreateFromData+0x195 NdrProxyForwardingFunction4-0x81f ole32+0xc586d @ 0x767b586d
ObjectStublessClient31+0x886b STGMEDIUM_UserUnmarshal-0x20e43 ole32+0x998db @ 0x767898db
DllRegisterServerInternal+0x3df02 GetPrivateContextsPerfCounters-0x19797 mscorwks+0x94168 @ 0x73fc4168
0x47bfb2
system+0x7a24ea @ 0x713024ea
system+0x7a30b4 @ 0x713030b4
system+0x7a2c0a @ 0x71302c0a
system+0x7a0de4 @ 0x71300de4
system+0x79e6da @ 0x712fe6da
system+0x79f065 @ 0x712ff065
0x7ea54dd
0x7ea5463
system+0x1ce056 @ 0x70d2e056
system+0x1ce12a @ 0x70d2e12a
system+0x1f87ce @ 0x70d587ce
system+0x203a57 @ 0x70d63a57
system+0x203a06 @ 0x70d63a06
system+0x1f86a0 @ 0x70d586a0
system+0x1f8621 @ 0x70d58621
system+0x1f84fa @ 0x70d584fa
0x7c11a4
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
GetWindow+0x3f0 SendMessageW-0x1b user32+0x1965e @ 0x775a965e
SendMessageW+0x4c GetAncestor-0xc0 user32+0x196c5 @ 0x775a96c5
0x6892063
system+0x203c74 @ 0x70d63c74
system+0x1f8671 @ 0x70d58671
system+0x1f84fa @ 0x70d584fa
0x7c11a4
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x775a62fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x775a6d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x775a77c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x775a788a
0x68985f2
system+0x208cee @ 0x70d68cee
system+0x208957 @ 0x70d68957
system+0x2087a1 @ 0x70d687a1
system+0x1c5911 @ 0x70d25911
0x5e81898
CoUninitializeEE-0x29870 mscorwks+0x1b4c @ 0x73f31b4c
CoUninitializeEE-0x125de mscorwks+0x18dde @ 0x73f48dde
CoUninitializeEE-0x4990 mscorwks+0x26a2c @ 0x73f56a2c
CoUninitializeEE-0x495d mscorwks+0x26a5f @ 0x73f56a5f
CoUninitializeEE-0x493f mscorwks+0x26a7d @ 0x73f56a7d
StrongNameErrorInfo+0xfd79 _CorExeMain-0x4bf mscorwks+0xc6a8d @ 0x73ff6a8d
StrongNameErrorInfo+0xfc99 _CorExeMain-0x59f mscorwks+0xc69ad @ 0x73ff69ad
StrongNameErrorInfo+0x101b6 _CorExeMain-0x82 mscorwks+0xc6eca @ 0x73ff6eca
_CorExeMain+0x168 ClrCreateManagedInstance-0x42a6 mscorwks+0xc70b4 @ 0x73ff70b4
_CorExeMain+0x98 ClrCreateManagedInstance-0x4376 mscorwks+0xc6fe4 @ 0x73ff6fe4
_CorExeMain+0x38 _CorExeMain2-0x134 mscoreei+0x55ab @ 0x747f55ab
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74737f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74734de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5

registers.esp: 2156188
registers.edi: 5701632
registers.eax: 4294967288
registers.ebp: 2156232
registers.edx: 0
registers.ebx: 0
registers.esi: 0
registers.ecx: 5701632
exception.instruction_r: 80 78 07 05 0f 84 64 8a 01 00 f6 40 07 3f 0f 84
exception.symbol: _vsnprintf+0xd0 strncpy_s-0x52 ntdll+0x79e58
exception.instruction: cmp byte ptr [eax + 7], 5
exception.module: ntdll.dll
exception.exception_code: 0xc0000005
exception.offset: 499288
exception.address: 0x77da9e58

success

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)

suspicious_features

POST method with no referer header, POST method with no useragent header

suspicious_request

POST https://www.fastpctools.com/fvd/dailyinstall.php

Performs some HTTP requests (24 个事件)

request	GET http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
request	GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request	GET http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
request	GET http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEB2iSDBvmyYY0ILgln0z02o%3D
request	GET http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl
request	GET http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ5suEceKjAJbxseAmHFkQ9FrhTWQQUDuE6qFM6MdWKvsG7rWcaA4WtNA4CED%2FTltpSxTMaRJ6NyRARj6Q%3D
request	GET http://crl.sectigo.com/SectigoRSACodeSigningCA.crl
request	GET http://fastytd.com/video_list.html
request	GET http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCu4OaM8pepHQMAAAAAy%2FdW
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
request	GET http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDtqToB6jJa2wMAAAAAy%2FdX
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAwIlmU1uUKpc1Jl5Pl1QLw%3D
request	GET http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTubeiRal9hlMRbT70r8I4mClph2gQUEsmImy%2FJRHp9EvHfQANCmJLHJNYCEA48unWY0rKtPcl6oSZ7AiM%3D
request	POST https://www.fastpctools.com/fvd/dailyinstall.php
request	GET https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
request	GET https://www.fastpctools.com/fvd/recommend.html?ver=3.1.0.76&lang=en&utm_source=fvup&utm_campaign=fvup
request	GET https://www.fastpctools.com/fvd/css/styles.css
request	GET https://www.fastpctools.com/fvd/fonts/opensans-light-webfont.eot?
request	GET https://ssl.google-analytics.com/ga.js
request	GET https://ssl.google-analytics.com/r/__utm.gif?utmwv=5.7.2&utms=1&utmn=22126545&utmhn=www.fastpctools.com&utmcs=utf-8&utmsr=800x600&utmvp=785x55&utmsc=32-bit&utmul=zh-cn&utmje=1&utmfl=-&utmdt=Recommended%20Software&utmhid=934811379&utmr=-&utmp=%2Ffvd%2Frecommend.html%3Fver%3D3.1.0.76%26lang%3Den%26utm_source%3Dfvup%26utm_campaign%3Dfvup&utmht=1620726619447&utmac=UA-48833033-1&utmcc=__utma%3D1.1600426715.1620726619.1620726619.1620726619.1%3B%2B__utmz%3D1.1620726619.1.1.utmcsr%3Dfvup%7Cutmccn%3Dfvup%7Cutmcmd%3D(not%2520set)%3B&utmjid=1782550650&utmredir=1&utmu=qlAAAAAAAAAAAAAAAAAAAAAE~
request	GET https://www.fastpctools.com/fvd/images/special_offer_ver3_44.jpg
request	GET https://www.fastpctools.com/fvd/images/fvd_update1.png
request	GET https://stats.g.doubleclick.net/r/collect?v=1&aip=1&t=dc&_r=3&tid=UA-48833033-1&cid=1600426715.1620726619&jid=1782550650&_v=5.7.2&z=22126545
request	GET https://widgets.amung.us/small.js

Sends data using the HTTP POST Method (1 个事件)

request

POST https://www.fastpctools.com/fvd/dailyinstall.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 148 个事件)

Time & API	Arguments	Status
1620726222.253081 NtProtectVirtualMemory	process_identifier: 368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success
1620726222.253081 NtProtectVirtualMemory	process_identifier: 368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 45056 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00401000	success
1620726222.253081 NtProtectVirtualMemory	process_identifier: 368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 139264 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00410000	success
1620749340.119626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00520000	success
1620749341.572626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x03fc0000	success
1620749341.572626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x03fd0000	success
1620749341.572626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x03fe0000	success
1620749341.572626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x03ff0000	success
1620749341.572626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04000000	success
1620749341.572626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04010000	success
1620749341.572626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04020000	success
1620749341.572626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04140000	success
1620749341.572626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04150000	success
1620749341.572626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04160000	success
1620749341.572626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04170000	success
1620749341.572626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04180000	success
1620749341.572626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x041e0000	success
1620749341.572626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x041f0000	success
1620749341.572626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04200000	success
1620749341.572626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04210000	success
1620749341.572626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04220000	success
1620749341.588626 NtAllocateVirtualMemory	process_identifier: 648 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x04230000	success
1620748985.029395 NtAllocateVirtualMemory	process_identifier: 1424 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffffffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0000000004290000	success
1620749348.072249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 8192 (MEM_RESERVE) base_address: 0x00670000	success
1620749348.072249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x007c0000	success
1620749348.838249 NtProtectVirtualMemory	process_identifier: 944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f31000	success
1620749349.041249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047a000	success
1620749349.041249 NtProtectVirtualMemory	process_identifier: 944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x73f32000	success
1620749349.041249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00472000	success
1620749349.416249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00482000	success
1620749391.432249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00483000	success
1620749391.447249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004bb000	success
1620749391.447249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004b7000	success
1620749391.510249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0048c000	success
1620749391.666249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00484000	success
1620749392.588249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00485000	success
1620749392.697249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00487000	success
1620749392.744249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00488000	success
1620749392.979249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00489000	success
1620749393.104249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05cd0000	success
1620749393.104249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0048a000	success
1620749393.572249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05e80000	success
1620749393.666249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004aa000	success
1620749393.729249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05e81000	success
1620749393.963249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x004a2000	success
1620749393.994249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0047b000	success
1620749394.026249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05cf0000	success
1620749394.041249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x05cf1000	success
1620749394.041249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x0048d000	success
1620749394.057249 NtAllocateVirtualMemory	process_identifier: 944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 4096 (MEM_COMMIT) base_address: 0x00496000	success

Checks whether any human activity is being performed by constantly checking whether the foreground window changed

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (3 个事件)

Time & API	Arguments	Status	Return
1620749345.744626 GetDiskFreeSpaceExW	root_path: C:\Program Files (x86)\FastPCTools\Fast VD\ free_bytes_available: 8600306909957483753 total_number_of_free_bytes: 0 total_number_of_bytes: 4294967295	failed	0
1620749345.744626 GetDiskFreeSpaceExW	root_path: C:\Program Files (x86)\FastPCTools\ free_bytes_available: 8600306909957483753 total_number_of_free_bytes: 0 total_number_of_bytes: 4294967295	failed	0
1620749345.744626 GetDiskFreeSpaceExW	root_path: C:\Program Files (x86)\ free_bytes_available: 19611111424 total_number_of_free_bytes: 0 total_number_of_bytes: 34252779520	success	1

An application raised an exception which may be indicative of an exploit crash (2 个事件)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 1436 crashed
1620748980.622145 __exception__	stacktrace: 0x182e04 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 0x30 registers.r14: 7734403960320 registers.r9: 0 registers.rcx: 1396 registers.rsi: -6148914691236517206 registers.r10: 0 registers.rbx: 266333936 registers.rdi: 17302540 registers.r11: 266337856 registers.r8: 2009563532 registers.rdx: 552 registers.rbp: 266333792 registers.r15: 266334296 registers.r12: 266334696 registers.rsp: 266333656 registers.rax: 1584640 registers.r13: 7734404907008 exception.instruction_r: ff 15 16 1f 09 00 ff 25 00 00 00 00 aa a4 a3 77 exception.instruction: call qword ptr [rip + 0x91f16] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x182e04	success	0	0

Steals private information from local Internet browsers (24 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma~RF5d0a5c.TMP
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-609A5322-59C.pma
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Last Version
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Default\Policy\User Policy
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index

Creates executable files on the filesystem (3 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JSSP0KXB\ga[1].js
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X6VHVO8H\small[1].js
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-52KSI.tmp\itdownload.dll

Drops an executable to the user AppData folder (2 个事件)

file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-BF2TV.tmp\4cbeb9527b6f088c844cac4e467276f3.tmp
file	C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\is-52KSI.tmp\itdownload.dll

Executes one or more WMI queries (1 个事件)

wmi	select * from Win32_ComputerSystemProduct

Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620749352.166249 GetAdaptersAddresses	flags: 15 family: 0	failed	111	0

Queries for potentially installed applications (4 个事件)

Time & API	Arguments	Status	Return
1620749341.557626 RegOpenKeyExA	access: 0x00000001 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\9ED08AFF-E977-47db-8923-2499D74C97C5_Fast VD_is1 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\9ED08AFF-E977-47db-8923-2499D74C97C5_Fast VD_is1 options: 0	failed	2
1620749341.557626 RegOpenKeyExA	access: 0x00000001 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\9ED08AFF-E977-47db-8923-2499D74C97C5_Fast VD_is1 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\9ED08AFF-E977-47db-8923-2499D74C97C5_Fast VD_is1 options: 0	failed	2
1620749347.072626 RegOpenKeyExA	access: 0x00000008 base_handle: 0x80000001 key_handle: 0x00000000 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\9ED08AFF-E977-47db-8923-2499D74C97C5_Fast VD_is1 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\9ED08AFF-E977-47db-8923-2499D74C97C5_Fast VD_is1 options: 0	failed	2
1620749347.072626 RegOpenKeyExA	access: 0x00000008 base_handle: 0x80000002 key_handle: 0x00000000 regkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\9ED08AFF-E977-47db-8923-2499D74C97C5_Fast VD_is1 regkey_r: Software\Microsoft\Windows\CurrentVersion\Uninstall\9ED08AFF-E977-47db-8923-2499D74C97C5_Fast VD_is1 options: 0	failed	2

Executes one or more WMI queries which can be used to identify virtual machines (1 个事件)

wmi	select * from Win32_ComputerSystemProduct

Communicates with host for which no DNS query was performed (1 个事件)

host

172.217.24.14

Looks for the Windows Idle Time to determine the uptime (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620749416.541249 NtQuerySystemInformation	information_class: 8 (SystemProcessorPerformanceInformation)	success	0	0

Disables proxy possibly for traffic interception (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1620749402.401249 RegSetValueExA	key_handle: 0x000007f4 value: 0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	success	0	0

Attempts to create or modify system certificates (2 个事件)

registry	HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob

Sets or modifies WPAD proxy autoconfiguration file for traffic interception (15 个事件)

Time & API	Arguments	Status
1620749406.526249 RegSetValueExA	key_handle: 0x000008c8 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620749406.526249 RegSetValueExA	key_handle: 0x000008c8 value: Ðö×KF× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620749406.526249 RegSetValueExA	key_handle: 0x000008c8 value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620749406.526249 RegSetValueExW	key_handle: 0x000008c8 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620749406.557249 RegSetValueExA	key_handle: 0x000006dc value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620749406.557249 RegSetValueExA	key_handle: 0x000006dc value: Ðö×KF× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620749406.557249 RegSetValueExA	key_handle: 0x000006dc value: 3 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success
1620749406.994249 RegSetValueExW	key_handle: 0x000008c4 value: {40112ABE-63B3-43C3-BE93-1440EE3AF106} regkey_r: WpadLastNetwork reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork	success
1620749408.994249 RegSetValueExA	key_handle: 0x00000930 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason	success
1620749408.994249 RegSetValueExA	key_handle: 0x00000930 value: ´PKF× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime	success
1620749408.994249 RegSetValueExA	key_handle: 0x00000930 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision	success
1620749408.994249 RegSetValueExW	key_handle: 0x00000930 value: 网络 2 regkey_r: WpadNetworkName reg_type: 1 (REG_SZ) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName	success
1620749408.994249 RegSetValueExA	key_handle: 0x00000934 value: 1 regkey_r: WpadDecisionReason reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason	success
1620749408.994249 RegSetValueExA	key_handle: 0x00000934 value: ´PKF× regkey_r: WpadDecisionTime reg_type: 3 (REG_BINARY) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime	success
1620749408.994249 RegSetValueExA	key_handle: 0x00000934 value: 0 regkey_r: WpadDecision reg_type: 4 (REG_DWORD) regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision	success

One or more non-safelisted processes were created (2 个事件)

parent_process	chrome.exe				martian_process	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Administrator.Oskar-PC\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2624f50,0x7fef2624f60,0x7fef2624f70
parent_process	chrome.exe				martian_process	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1056,10108852557818577834,12506995417315352589,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1084 /prefetch:2

Resumed a suspended thread in a remote process potentially indicative of process injection (13 个事件)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1908 resumed a thread in remote process 1436
1620748989.38877 NtResumeThread	thread_handle: 0x0000000000000140 suspend_count: 2 process_identifier: 1436	success	0	0
1620748989.68577 NtResumeThread	thread_handle: 0x0000000000000140 suspend_count: 2 process_identifier: 1436	success	0	0
1620748989.96677 NtResumeThread	thread_handle: 0x0000000000000140 suspend_count: 2 process_identifier: 1436	success	0	0
1620748990.23277 NtResumeThread	thread_handle: 0x0000000000000140 suspend_count: 2 process_identifier: 1436	success	0	0
1620748990.32577 NtResumeThread	thread_handle: 0x0000000000000140 suspend_count: 2 process_identifier: 1436	success	0	0
1620748990.49777 NtResumeThread	thread_handle: 0x0000000000000140 suspend_count: 2 process_identifier: 1436	success	0	0
1620748995.07577 NtResumeThread	thread_handle: 0x0000000000000140 suspend_count: 2 process_identifier: 1436	success	0	0
1620748995.62277 NtResumeThread	thread_handle: 0x0000000000000140 suspend_count: 2 process_identifier: 1436	success	0	0
1620748996.13877 NtResumeThread	thread_handle: 0x0000000000000140 suspend_count: 2 process_identifier: 1436	success	0	0
1620748997.96677 NtResumeThread	thread_handle: 0x0000000000000140 suspend_count: 2 process_identifier: 1436	success	0	0
1620748998.96677 NtResumeThread	thread_handle: 0x0000000000000140 suspend_count: 2 process_identifier: 1436	success	0	0
1620748999.52977 NtResumeThread	thread_handle: 0x0000000000000140 suspend_count: 2 process_identifier: 1436	success	0	0

暂无二进制图像该样本未生成二进制可视化图像

暂无运行截图该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手，可以帮您分析和解读恶意软件报告。请随时向我提问！

🔍 主要威胁分析

⚡ 行为特征

🛡️ 防护建议

🔧 技术手段

🎯 检测方法

🤖

Static Analysis
Strings

PE Compile Time

1992-06-20 06:22:17

Imports

Library kernel32.dll:

• 0x40e0b4 DeleteCriticalSection

• 0x40e0b8 LeaveCriticalSection

• 0x40e0bc EnterCriticalSection

• 0x40e0c0 InitializeCriticalSection

• 0x40e0c4 VirtualFree

• 0x40e0c8 VirtualAlloc

• 0x40e0cc LocalFree

• 0x40e0d0 LocalAlloc

• 0x40e0d4 WideCharToMultiByte

• 0x40e0d8 TlsSetValue

• 0x40e0dc TlsGetValue

• 0x40e0e0 MultiByteToWideChar

• 0x40e0e4 GetModuleHandleA

• 0x40e0e8 GetLastError

• 0x40e0ec GetCommandLineA

• 0x40e0f0 WriteFile

• 0x40e0f4 SetFilePointer

• 0x40e0f8 SetEndOfFile

• 0x40e0fc RtlUnwind

• 0x40e100 ReadFile

• 0x40e104 RaiseException

• 0x40e108 GetStdHandle

• 0x40e10c GetFileSize

• 0x40e110 GetSystemTime

• 0x40e114 GetFileType

• 0x40e118 ExitProcess

• 0x40e11c CreateFileA

• 0x40e120 CloseHandle

Library user32.dll:

• 0x40e128 MessageBoxA

Library oleaut32.dll:

• 0x40e130 VariantChangeTypeEx

• 0x40e134 VariantCopyInd

• 0x40e138 VariantClear

• 0x40e13c SysStringLen

• 0x40e140 SysAllocStringLen

Library advapi32.dll:

• 0x40e148 RegQueryValueExA

• 0x40e14c RegOpenKeyExA

• 0x40e150 RegCloseKey

• 0x40e154 OpenProcessToken

• 0x40e158 LookupPrivilegeValueA

Library kernel32.dll:

• 0x40e160 WriteFile

• 0x40e164 VirtualQuery

• 0x40e168 VirtualProtect

• 0x40e16c VirtualFree

• 0x40e170 VirtualAlloc

• 0x40e174 Sleep

• 0x40e178 SizeofResource

• 0x40e17c SetLastError

• 0x40e180 SetFilePointer

• 0x40e184 SetErrorMode

• 0x40e188 SetEndOfFile

• 0x40e18c RemoveDirectoryA

• 0x40e190 ReadFile

• 0x40e194 LockResource

• 0x40e198 LoadResource

• 0x40e19c LoadLibraryA

• 0x40e1a0 IsDBCSLeadByte

• 0x40e1a4 GetWindowsDirectoryA

• 0x40e1a8 GetVersionExA

• 0x40e1ac GetVersion

• 0x40e1b0 GetUserDefaultLangID

• 0x40e1b4 GetSystemInfo

• 0x40e1b8 GetSystemDirectoryA

• 0x40e1bc GetSystemDefaultLCID

• 0x40e1c0 GetProcAddress

• 0x40e1c4 GetModuleHandleA

• 0x40e1c8 GetModuleFileNameA

• 0x40e1cc GetLocaleInfoA

• 0x40e1d0 GetLastError

• 0x40e1d4 GetFullPathNameA

• 0x40e1d8 GetFileSize

• 0x40e1dc GetFileAttributesA

• 0x40e1e0 GetExitCodeProcess

• 0x40e1e4 GetEnvironmentVariableA

• 0x40e1e8 GetCurrentProcess

• 0x40e1ec GetCommandLineA

• 0x40e1f0 GetACP

• 0x40e1f4 InterlockedExchange

• 0x40e1f8 FormatMessageA

• 0x40e1fc FindResourceA

• 0x40e200 DeleteFileA

• 0x40e204 CreateProcessA

• 0x40e208 CreateFileA

• 0x40e20c CreateDirectoryA

• 0x40e210 CloseHandle

Library user32.dll:

• 0x40e218 TranslateMessage

• 0x40e21c SetWindowLongA

• 0x40e220 PeekMessageA

• 0x40e224 MsgWaitForMultipleObjects

• 0x40e228 MessageBoxA

• 0x40e22c LoadStringA

• 0x40e230 ExitWindowsEx

• 0x40e234 DispatchMessageA

• 0x40e238 DestroyWindow

• 0x40e23c CreateWindowExA

• 0x40e240 CallWindowProcA

• 0x40e244 CharPrevA

Library comctl32.dll:

• 0x40e24c InitCommonControls

Library advapi32.dll:

• 0x40e254 AdjustTokenPrivileges

Hosts

No hosts contacted.

DNS

Name	Response	Post-Analysis Lookup
www.googletagmanager.com	CNAME www-googletagmanager.l.google.com A 113.108.239.233	203.208.41.105
ssl.google-analytics.com	A 113.108.239.169 CNAME ssl-google-analytics.l.google.com	203.208.41.105
fastytd.com	A 172.67.132.5 A 104.21.4.112	172.67.132.5
ocsp.usertrust.com	A 151.139.128.14	151.139.128.14
ocsp.pki.goog	A 113.108.239.226 CNAME pki-goog.l.google.com	203.208.50.162
dns.msftncsi.com	AAAA fd3e:4f5a:5b81::1	131.107.255.255
teredo.ipv6.microsoft.com
ocsp.comodoca.com	A 151.139.128.14	151.139.128.14
crl.usertrust.com	A 151.139.128.14	151.139.128.14
clients2.google.com	CNAME clients.l.google.com A 216.58.200.238	216.58.200.46
widgets.amung.us	A 172.67.8.141 A 104.22.74.171 A 104.22.75.171	172.67.8.141
whos.amung.us	A 67.202.94.86 A 67.202.94.93 A 67.202.114.216 A 67.202.114.214 A 67.202.94.94 A 67.202.114.212	67.202.94.86
dns.msftncsi.com	A 131.107.255.255	131.107.255.255
t.dtscout.com	A 158.69.139.230 A 158.69.139.229 A 158.69.139.226 A 158.69.139.225 A 158.69.139.238 A 51.161.15.93 A 51.89.24.69 A 51.161.15.92 A 167.114.209.61 A 51.89.24.70 A 51.89.99.21 A 158.69.139.237	158.69.139.229
www.download.windowsupdate.com	A 106.7.64.1 A 222.216.123.6 CNAME k256.gslb.ksyuncdn.com A 124.229.60.6 A 116.11.67.6 CNAME 2-01-3cf7-0009.cdx.cedexis.net A 36.25.252.1 A 115.231.33.1 A 119.96.211.1 CNAME www.download.windowsupdate.com.download.ks-cdn.com A 124.229.53.1 CNAME wu-fg-shim.trafficmanager.net	36.25.252.1
pagead2.googlesyndication.com	A 58.63.233.102	203.208.40.70
ocsp.sectigo.com	A 151.139.128.14	151.139.128.14
crt.usertrust.com	A 91.199.212.52	91.199.212.52
www.fastpctools.com	A 104.21.32.129 A 172.67.152.15	172.67.152.15
www.google.com	A 157.240.9.18 A 69.171.244.12 A 172.217.24.4	202.160.128.40

TCP

Source	Source Port	Destination	Destination Port
192.168.56.101	49210	104.21.4.112 fastytd.com	80
192.168.56.101	49223	113.108.239.169 ssl.google-analytics.com	443
192.168.56.101	49216	113.108.239.226 ocsp.pki.goog	80
192.168.56.101	49230	113.108.239.230	443
192.168.56.101	49222	113.108.239.233 www.googletagmanager.com	443
192.168.56.101	49197	119.96.211.1 www.download.windowsupdate.com	80
192.168.56.101	49202	151.139.128.14 ocsp.sectigo.com	80
192.168.56.101	49205	151.139.128.14 ocsp.sectigo.com	80
192.168.56.101	49206	151.139.128.14 ocsp.sectigo.com	80
192.168.56.101	49207	151.139.128.14 ocsp.sectigo.com	80
192.168.56.101	49208	151.139.128.14 ocsp.sectigo.com	80
192.168.56.101	49211	157.240.9.18 www.google.com	443
192.168.56.101	49232	158.69.139.230 t.dtscout.com	443
192.168.56.101	49209	172.67.152.15 www.fastpctools.com	443
192.168.56.101	49219	172.67.152.15 www.fastpctools.com	443
192.168.56.101	49221	172.67.152.15 www.fastpctools.com	443
192.168.56.101	49228	172.67.152.15 www.fastpctools.com	443
192.168.56.101	49229	172.67.152.15 www.fastpctools.com	443
192.168.56.101	49231	172.67.8.141 widgets.amung.us	443
192.168.56.101	49213	58.63.233.102 pagead2.googlesyndication.com	443

UDP

Source	Source Port	Destination	Destination Port
192.168.56.101	49235	114.114.114.114	53
192.168.56.101	49710	114.114.114.114	53
192.168.56.101	49713	114.114.114.114	53
192.168.56.101	50047	114.114.114.114	53
192.168.56.101	50534	114.114.114.114	53
192.168.56.101	54178	114.114.114.114	53
192.168.56.101	55331	114.114.114.114	53
192.168.56.101	56539	114.114.114.114	53
192.168.56.101	57874	114.114.114.114	53
192.168.56.101	58070	114.114.114.114	53
192.168.56.101	64214	114.114.114.114	53
192.168.56.101	64565	114.114.114.114	53
192.168.56.101	65004	114.114.114.114	53
192.168.56.101	137	192.168.56.255	137
192.168.56.101	138	192.168.56.255	138
192.168.56.101	50002	224.0.0.252	5355
192.168.56.101	50433	224.0.0.252	5355
192.168.56.101	50568	224.0.0.252	5355
192.168.56.101	50849	224.0.0.252	5355
192.168.56.101	51378	224.0.0.252	5355

HTTP & HTTPS Requests

URI	Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1 Cache-Control: max-age = 3600 Connection: Keep-Alive Accept: / If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT If-None-Match: "0d8f4f3f6fd71:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: www.download.windowsupdate.com
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAwIlmU1uUKpc1Jl5Pl1QLw%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAwIlmU1uUKpc1Jl5Pl1QLw%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.com
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEB2iSDBvmyYY0ILgln0z02o%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEB2iSDBvmyYY0ILgln0z02o%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.usertrust.com
http://fastytd.com/video_list.html	GET /video_list.html HTTP/1.1 Accept: / Accept-Language: zh-cn Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: fastytd.com Connection: Keep-Alive
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDtqToB6jJa2wMAAAAAy%2FdX	GET /gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDtqToB6jJa2wMAAAAAy%2FdX HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.pki.goog
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt	GET /USERTrustRSAAddTrustCA.crt HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: crt.usertrust.com
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTubeiRal9hlMRbT70r8I4mClph2gQUEsmImy%2FJRHp9EvHfQANCmJLHJNYCEA48unWY0rKtPcl6oSZ7AiM%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTubeiRal9hlMRbT70r8I4mClph2gQUEsmImy%2FJRHp9EvHfQANCmJLHJNYCEA48unWY0rKtPcl6oSZ7AiM%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.com
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.digicert.com
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D	GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Microsoft-CryptoAPI/6.1 Host: ocsp.comodoca.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1 Cache-Control: max-age = 900 Connection: Keep-Alive Accept: / If-Modified-Since: Mon, 19 Apr 2021 20:17:25 GMT If-None-Match: "80f8835935d71:0" User-Agent: Microsoft-CryptoAPI/6.1 Host: www.download.windowsupdate.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.

Sorry! No dropped buffers.