8.6
极危
5 个模型检测该样本为恶意!
重新分析
更多

a00ef4eb5d17f4416d3d38e8463f6ffd18ecf55096a2291727f882656327bb4e

ae7191774973ac68bd6f4d7d4f253851.exe

分析耗时

95s

最近分析

文件大小

4.2MB
静态报毒 动态报毒 KLNLF MALICIOUS REDCAP SAVE STARTUN
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee 20210504 6.0.6.653
CrowdStrike 20210203 1.0
Alibaba 20190527 0.3.0.5
Baidu 20190318 1.0.0.2
Avast 20210510 21.1.5827.0
Kingsoft 20210510 2017.9.26.565
Tencent 20210510 1.0.0.1
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1620987568.131501
GetComputerNameA
computer_name: OSKAR-PC
success 1 0
1620987568.147501
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
Checks if process is being debugged by a debugger (4 个事件)
Time & API Arguments Status Return Repeated
1620987528.507124
IsDebuggerPresent
failed 0 0
1620987528.991124
IsDebuggerPresent
failed 0 0
1620987528.991124
IsDebuggerPresent
failed 0 0
1620987545.022501
IsDebuggerPresent
failed 0 0
Uses Windows APIs to generate a cryptographic key (8 个事件)
Time & API Arguments Status Return Repeated
1620987529.570124
CryptExportKey
crypto_handle: 0x007adf88
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620987530.320124
CryptExportKey
crypto_handle: 0x007ae348
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620987530.320124
CryptExportKey
crypto_handle: 0x007ae348
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620987530.320124
CryptExportKey
crypto_handle: 0x007ae348
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620987538.085124
CryptExportKey
crypto_handle: 0x00851eb0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620987538.179124
CryptExportKey
crypto_handle: 0x00851eb0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620987538.226124
CryptExportKey
crypto_handle: 0x00851eb0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
1620987538.273124
CryptExportKey
crypto_handle: 0x00851eb0
crypto_export_handle: 0x00000000
buffer: <INVALID POINTER>
blob_type: 6
flags: 0
success 1 0
This executable is signed
This executable has a PDB path (1 个事件)
pdb_path E:\B\16\LabTech\Build - 3rd Party - Installer - WiX 3.10.4 Full\Sources\build\ship\x86\burn.pdb
Tries to locate where the browsers are installed (1 个事件)
registry HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\BundlePatchCode
Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 个事件)
Time & API Arguments Status Return Repeated
1620987529.007124
GlobalMemoryStatusEx
success 1 0
The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 个事件)
section .wixburn
section .gfids
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 个事件)
suspicious_features GET method with no useragent header suspicious_request GET https://help.mammothit.com/labtech/updates/ForceUpdate.cst
Performs some HTTP requests (2 个事件)
request GET http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
request GET https://help.mammothit.com/labtech/updates/ForceUpdate.cst
Allocates read-write-execute memory (usually to unpack itself) (50 out of 90 个事件)
Time & API Arguments Status Return Repeated
1620987528.679124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 393216
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x00e20000
success 0 0
1620987528.679124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e40000
success 0 0
1620987528.726124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x030c0000
success 0 0
1620987528.726124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x031e0000
success 0 0
1620987528.866124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 851968
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x02810000
success 0 0
1620987528.866124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028a0000
success 0 0
1620987528.929124
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e71000
success 0 0
1620987528.991124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 1441792
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 8192 (MEM_RESERVE)
base_address: 0x03280000
success 0 0
1620987528.991124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x033a0000
success 0 0
1620987528.991124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e3a000
success 0 0
1620987528.991124
NtProtectVirtualMemory
process_identifier: 1068
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
base_address: 0x73e72000
success 0 0
1620987528.991124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e32000
success 0 0
1620987529.148124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e82000
success 0 0
1620987529.210124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ea5000
success 0 0
1620987529.210124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00eab000
success 0 0
1620987529.210124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00ea7000
success 0 0
1620987529.351124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028a1000
success 0 0
1620987529.398124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026f2000
success 0 0
1620987529.413124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x00e83000
success 0 0
1620987529.413124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 327680
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef40000
success 0 0
1620987529.413124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef40000
success 0 0
1620987529.413124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef40000
success 0 0
1620987529.413124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef48000
success 0 0
1620987529.413124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 65536
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 1056768 (MEM_RESERVE|MEM_TOP_DOWN)
base_address: 0x7ef30000
success 0 0
1620987529.413124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef30000
success 0 0
1620987529.460124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026f3000
success 0 0
1620987529.476124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef40000
success 0 0
1620987529.476124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef48000
success 0 0
1620987529.476124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x7ef30000
success 0 0
1620987529.491124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028a2000
success 0 0
1620987529.491124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028a3000
success 0 0
1620987529.585124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026fc000
success 0 0
1620987529.585124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026f4000
success 0 0
1620987529.632124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027c0000
success 0 0
1620987529.663124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026f5000
success 0 0
1620987529.913124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026f6000
success 0 0
1620987529.945124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026f7000
success 0 0
1620987529.960124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x0275c000
success 0 0
1620987529.960124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x02759000
success 0 0
1620987530.320124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026f8000
success 0 0
1620987530.398124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026fa000
success 0 0
1620987530.445124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026f9000
success 0 0
1620987530.445124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x026fd000
success 0 0
1620987530.476124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03260000
success 0 0
1620987530.476124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03261000
success 0 0
1620987530.476124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03262000
success 0 0
1620987530.476124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027c1000
success 0 0
1620987530.491124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x03263000
success 0 0
1620987530.491124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x027c2000
success 0 0
1620987530.491124
NtAllocateVirtualMemory
process_identifier: 1068
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x028a4000
success 0 0
Creates executable files on the filesystem (16 个事件)
file C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.ba\wix.dll
file C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.ba\Microsoft.Deployment.Compression.Zip.dll
file C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.ba\Raicl.dll
file C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.ba\Microsoft.Deployment.WindowsInstaller.Package.dll
file C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.ba\BootstrapperCore.dll
file C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.be\LabTechRemoteAgent.exe
file C:\Windows\Temp\{0D2163A8-DD69-4D62-87B6-4DF9358B66A6}\.cr\ae7191774973ac68bd6f4d7d4f253851.exe
file C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.ba\Janus.dll
file C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.ba\mbahost.dll
file C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.ba\RemoteAgentBootstrapper.dll
file C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.ba\mbapreq.dll
file C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.ba\Microsoft.Deployment.Compression.Cab.dll
file C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.ba\Microsoft.Deployment.Resources.dll
file C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.ba\Microsoft.Deployment.Compression.dll
file C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.ba\winterop.dll
file C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.ba\Microsoft.Deployment.WindowsInstaller.dll
Drops a binary and executes it (1 个事件)
file C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.be\LabTechRemoteAgent.exe
Drops an executable to the user AppData folder (1 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\3f460d4c-d217-46b4-80b6-b5ed50bd7cf5\UX\BootstrapperCore.dll
A process created a hidden window (1 个事件)
Time & API Arguments Status Return Repeated
1620987544.570124
ShellExecuteExW
parameters: -q -burn.elevated BurnPipe.{90F4555A-7B63-45D9-8C08-B3518CB26391} {F4AE7F7B-B63C-4D48-9333-65986824BA0C} 1068
filepath: C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.be\LabTechRemoteAgent.exe
filepath_r: C:\Windows\Temp\{B9EE2253-10A5-49B4-B999-AC915FEB2400}\.be\LabTechRemoteAgent.exe
show_type: 0
success 1 0
File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 个事件)
Zillya Trojan.Startun.Win32.20
Sangfor Trojan.Win32.Save.a
APEX Malicious
Jiangmin Trojan.Startun.d
Avira TR/Redcap.klnlf
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1620987532.382124
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
Checks for the Locally Unique Identifier on the system for a suspicious privilege (16 个事件)
Time & API Arguments Status Return Repeated
1620987569.506501
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620987569.897501
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateTokenPrivilege
success 1 0
1620987569.897501
LookupPrivilegeValueW
system_name:
privilege_name: SeAssignPrimaryTokenPrivilege
success 1 0
1620987569.897501
LookupPrivilegeValueW
system_name:
privilege_name: SeMachineAccountPrivilege
success 1 0
1620987569.897501
LookupPrivilegeValueW
system_name:
privilege_name: SeTcbPrivilege
success 1 0
1620987569.897501
LookupPrivilegeValueW
system_name:
privilege_name: SeSecurityPrivilege
success 1 0
1620987569.897501
LookupPrivilegeValueW
system_name:
privilege_name: SeTakeOwnershipPrivilege
success 1 0
1620987569.897501
LookupPrivilegeValueW
system_name:
privilege_name: SeLoadDriverPrivilege
success 1 0
1620987569.912501
LookupPrivilegeValueW
system_name:
privilege_name: SeBackupPrivilege
success 1 0
1620987569.912501
LookupPrivilegeValueW
system_name:
privilege_name: SeRestorePrivilege
success 1 0
1620987569.928501
LookupPrivilegeValueW
system_name:
privilege_name: SeShutdownPrivilege
success 1 0
1620987569.928501
LookupPrivilegeValueW
system_name:
privilege_name: SeDebugPrivilege
success 1 0
1620987569.928501
LookupPrivilegeValueW
system_name:
privilege_name: SeRemoteShutdownPrivilege
success 1 0
1620987569.928501
LookupPrivilegeValueW
system_name:
privilege_name: SeEnableDelegationPrivilege
success 1 0
1620987569.928501
LookupPrivilegeValueW
system_name:
privilege_name: SeManageVolumePrivilege
success 1 0
1620987569.928501
LookupPrivilegeValueW
system_name:
privilege_name: SeCreateGlobalPrivilege
success 1 0
Queries for potentially installed applications (30 个事件)
Time & API Arguments Status Return Repeated
1620987528.601124
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4b6d927d-52b3-4c81-b281-11e07b67eb34}
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4b6d927d-52b3-4c81-b281-11e07b67eb34}
options: 0
failed 2 0
1620987528.601124
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4b6d927d-52b3-4c81-b281-11e07b67eb34}.RebootRequired
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4b6d927d-52b3-4c81-b281-11e07b67eb34}.RebootRequired
options: 0
failed 2 0
1620987528.601124
RegOpenKeyExW
access: 0x00000001
base_handle: 0x80000002
key_handle: 0x00000000
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4b6d927d-52b3-4c81-b281-11e07b67eb34}
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4b6d927d-52b3-4c81-b281-11e07b67eb34}
options: 0
failed 2 0
1620987543.070124
RegOpenKeyExW
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x00000488
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
options: 0
success 0 0
1620987543.070124
RegOpenKeyExW
access: 0x00020019
base_handle: 0x00000488
key_handle: 0x0000030c
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
regkey_r: AddressBook
options: 0
success 0 0
1620987543.070124
RegOpenKeyExW
access: 0x00020019
base_handle: 0x00000488
key_handle: 0x0000030c
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
regkey_r: Connection Manager
options: 0
success 0 0
1620987543.070124
RegOpenKeyExW
access: 0x00020019
base_handle: 0x00000488
key_handle: 0x0000030c
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
regkey_r: DirectDrawEx
options: 0
success 0 0
1620987543.070124
RegOpenKeyExW
access: 0x00020019
base_handle: 0x00000488
key_handle: 0x0000030c
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
regkey_r: Fontcore
options: 0
success 0 0
1620987543.070124
RegOpenKeyExW
access: 0x00020019
base_handle: 0x00000488
key_handle: 0x0000030c
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
regkey_r: Google Chrome
options: 0
success 0 0
1620987543.070124
RegOpenKeyExW
access: 0x00020019
base_handle: 0x00000488
key_handle: 0x0000030c
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40
regkey_r: IE40
options: 0
success 0 0
1620987543.070124
RegOpenKeyExW
access: 0x00020019
base_handle: 0x00000488
key_handle: 0x0000030c
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
regkey_r: IE4Data
options: 0
success 0 0
1620987543.085124
RegOpenKeyExW
access: 0x00020019
base_handle: 0x00000488
key_handle: 0x0000030c
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
regkey_r: IE5BAKEX
options: 0
success 0 0
1620987543.085124
RegOpenKeyExW
access: 0x00020019
base_handle: 0x00000488
key_handle: 0x0000030c
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData
regkey_r: IEData
options: 0
success 0 0
1620987543.101124
RegOpenKeyExW
access: 0x00020019
base_handle: 0x00000488
key_handle: 0x0000030c
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
regkey_r: MobileOptionPack
options: 0
success 0 0
1620987543.101124
RegOpenKeyExW
access: 0x00020019
base_handle: 0x00000488
key_handle: 0x0000030c
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
regkey_r: SchedulingAgent
options: 0
success 0 0
1620987543.101124
RegOpenKeyExW
access: 0x00020019
base_handle: 0x00000488
key_handle: 0x0000030c
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC
regkey_r: WIC
options: 0
success 0 0
1620987543.101124
RegOpenKeyExW
access: 0x00020019
base_handle: 0x80000001
key_handle: 0x00000000
regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
options: 0
failed 2 0
1620987545.225501
RegOpenKeyExW
access: 0x00020019
base_handle: 0x80000002
key_handle: 0x0000019c
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
options: 0
success 0 0
1620987545.225501
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000019c
key_handle: 0x000001a4
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
regkey_r: AddressBook
options: 0
success 0 0
1620987545.225501
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000019c
key_handle: 0x000001a4
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager
regkey_r: Connection Manager
options: 0
success 0 0
1620987545.225501
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000019c
key_handle: 0x000001a4
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
regkey_r: DirectDrawEx
options: 0
success 0 0
1620987545.225501
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000019c
key_handle: 0x000001a4
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
regkey_r: Fontcore
options: 0
success 0 0
1620987545.240501
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000019c
key_handle: 0x000001a4
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
regkey_r: Google Chrome
options: 0
success 0 0
1620987545.240501
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000019c
key_handle: 0x000001a4
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE40
regkey_r: IE40
options: 0
success 0 0
1620987545.240501
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000019c
key_handle: 0x000001a4
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
regkey_r: IE4Data
options: 0
success 0 0
1620987545.240501
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000019c
key_handle: 0x000001a4
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
regkey_r: IE5BAKEX
options: 0
success 0 0
1620987545.240501
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000019c
key_handle: 0x000001a4
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\IEData
regkey_r: IEData
options: 0
success 0 0
1620987545.240501
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000019c
key_handle: 0x000001a4
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
regkey_r: MobileOptionPack
options: 0
success 0 0
1620987545.256501
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000019c
key_handle: 0x000001a4
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
regkey_r: SchedulingAgent
options: 0
success 0 0
1620987545.256501
RegOpenKeyExW
access: 0x00020019
base_handle: 0x0000019c
key_handle: 0x000001a4
regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\WIC
regkey_r: WIC
options: 0
success 0 0
网络通信
One or more of the buffers contains an embedded PE file (2 个事件)
buffer Buffer with sha1: 7265937343994a24e5e3ae099518f8a196a53f06
buffer Buffer with sha1: 7e80d94765e7079951654d63af02d8b49a2511f6
Installs itself for autorun at Windows startup (1 个事件)
reg_key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{4b6d927d-52b3-4c81-b281-11e07b67eb34} reg_value "C:\ProgramData\Package Cache\{4b6d927d-52b3-4c81-b281-11e07b67eb34}\LabTechRemoteAgent.exe" /burn.runonce
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 个事件)
dead_host 172.217.24.14:443
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2018-03-01 02:25:32

Imports

Library ADVAPI32.dll:
0x44b000 RegCloseKey
0x44b004 RegOpenKeyExW
0x44b008 OpenProcessToken
0x44b018 GetUserNameW
0x44b01c RegQueryValueExW
0x44b020 RegDeleteValueW
0x44b028 DecryptFileW
0x44b02c CreateWellKnownSid
0x44b030 InitializeAcl
0x44b034 SetEntriesInAclW
0x44b03c CloseServiceHandle
0x44b040 ControlService
0x44b044 OpenSCManagerW
0x44b048 OpenServiceW
0x44b04c QueryServiceStatus
0x44b05c SetEntriesInAclA
0x44b070 RegSetValueExW
0x44b074 RegQueryInfoKeyW
0x44b078 RegEnumValueW
0x44b07c RegEnumKeyExW
0x44b080 RegDeleteKeyW
0x44b084 RegCreateKeyExW
0x44b088 GetTokenInformation
0x44b08c CryptDestroyHash
0x44b090 CryptHashData
0x44b094 CryptCreateHash
0x44b098 CryptGetHashParam
0x44b09c CryptReleaseContext
0x44b0a4 QueryServiceConfigW
Library USER32.dll:
0x44b34c GetMessageW
0x44b350 PostMessageW
0x44b354 IsWindow
0x44b358 WaitForInputIdle
0x44b35c PostQuitMessage
0x44b360 PeekMessageW
0x44b368 PostThreadMessageW
0x44b36c GetMonitorInfoW
0x44b370 MonitorFromPoint
0x44b374 IsDialogMessageW
0x44b378 LoadCursorW
0x44b37c LoadBitmapW
0x44b380 SetWindowLongW
0x44b384 GetWindowLongW
0x44b388 GetCursorPos
0x44b38c MessageBoxW
0x44b390 CreateWindowExW
0x44b394 UnregisterClassW
0x44b398 RegisterClassW
0x44b39c DefWindowProcW
0x44b3a0 DispatchMessageW
0x44b3a4 TranslateMessage
Library OLEAUT32.dll:
0x44b320 SysFreeString
0x44b324 SysAllocString
0x44b328 VariantInit
0x44b32c VariantClear
Library GDI32.dll:
0x44b0ac CreateCompatibleDC
0x44b0b0 DeleteObject
0x44b0b4 SelectObject
0x44b0b8 StretchBlt
0x44b0bc GetObjectW
0x44b0c0 DeleteDC
Library SHELL32.dll:
0x44b33c SHGetFolderPathW
0x44b340 CommandLineToArgvW
0x44b344 ShellExecuteExW
Library ole32.dll:
0x44b3ac CoUninitialize
0x44b3b0 CoInitializeEx
0x44b3b4 CoInitialize
0x44b3b8 StringFromGUID2
0x44b3bc CoCreateInstance
0x44b3c0 CoTaskMemFree
0x44b3c8 CLSIDFromProgID
Library KERNEL32.dll:
0x44b0c8 GetCommandLineA
0x44b0cc GetCPInfo
0x44b0d0 GetOEMCP
0x44b0d4 CloseHandle
0x44b0d8 CreateFileW
0x44b0dc GetProcAddress
0x44b0e0 LocalFree
0x44b0e4 HeapSetInformation
0x44b0e8 GetLastError
0x44b0ec GetModuleHandleW
0x44b0f0 FormatMessageW
0x44b0f4 lstrlenA
0x44b0f8 lstrlenW
0x44b0fc MultiByteToWideChar
0x44b100 WideCharToMultiByte
0x44b104 LCMapStringW
0x44b108 Sleep
0x44b10c GetLocalTime
0x44b110 GetModuleFileNameW
0x44b118 GetTempPathW
0x44b11c GetTempFileNameW
0x44b120 CreateDirectoryW
0x44b124 GetFullPathNameW
0x44b128 CompareStringW
0x44b12c GetCurrentProcessId
0x44b130 WriteFile
0x44b134 SetFilePointer
0x44b138 LoadLibraryW
0x44b13c GetSystemDirectoryW
0x44b140 CreateFileA
0x44b144 HeapAlloc
0x44b148 HeapReAlloc
0x44b14c HeapFree
0x44b150 HeapSize
0x44b154 GetProcessHeap
0x44b158 FindClose
0x44b15c GetCommandLineW
0x44b164 RemoveDirectoryW
0x44b168 SetFileAttributesW
0x44b16c GetFileAttributesW
0x44b170 DeleteFileW
0x44b174 FindFirstFileW
0x44b178 FindNextFileW
0x44b17c MoveFileExW
0x44b180 GetCurrentProcess
0x44b184 GetCurrentThreadId
0x44b190 ReleaseMutex
0x44b198 TlsGetValue
0x44b19c TlsSetValue
0x44b1a0 TlsFree
0x44b1a4 CreateProcessW
0x44b1a8 GetVersionExW
0x44b1ac VerSetConditionMask
0x44b1b0 FreeLibrary
0x44b1bc GetSystemTime
0x44b1c0 GetNativeSystemInfo
0x44b1c4 GetModuleHandleExW
0x44b1d0 GetComputerNameW
0x44b1d4 VerifyVersionInfoW
0x44b1d8 GetVolumePathNameW
0x44b1dc GetDateFormatW
0x44b1e8 GetStringTypeW
0x44b1ec ReadFile
0x44b1f0 SetFilePointerEx
0x44b1f4 DuplicateHandle
0x44b1f8 InterlockedExchange
0x44b200 CreateEventW
0x44b208 OpenProcess
0x44b20c GetProcessId
0x44b210 WaitForSingleObject
0x44b214 ConnectNamedPipe
0x44b21c CreateNamedPipeW
0x44b220 CreateThread
0x44b224 GetExitCodeThread
0x44b228 SetEvent
0x44b238 ResetEvent
0x44b23c SetEndOfFile
0x44b240 SetFileTime
0x44b24c CompareStringA
0x44b250 GetExitCodeProcess
0x44b258 CopyFileExW
0x44b25c MapViewOfFile
0x44b260 UnmapViewOfFile
0x44b264 CreateMutexW
0x44b268 CreateFileMappingW
0x44b26c GetThreadLocale
0x44b270 IsValidCodePage
0x44b278 TlsAlloc
0x44b27c SetStdHandle
0x44b280 GetConsoleCP
0x44b284 GetConsoleMode
0x44b288 FlushFileBuffers
0x44b28c DecodePointer
0x44b290 WriteConsoleW
0x44b294 GetModuleHandleA
0x44b298 GlobalAlloc
0x44b29c GlobalFree
0x44b2a0 GetFileSizeEx
0x44b2a4 CopyFileW
0x44b2a8 VirtualAlloc
0x44b2ac VirtualFree
0x44b2bc GetSystemInfo
0x44b2c0 VirtualProtect
0x44b2c4 VirtualQuery
0x44b2cc FindFirstFileExW
0x44b2d0 GetFileType
0x44b2d4 GetACP
0x44b2d8 ExitProcess
0x44b2dc GetStdHandle
0x44b2e0 LoadLibraryExW
0x44b2f0 TerminateProcess
0x44b300 InitializeSListHead
0x44b304 IsDebuggerPresent
0x44b308 GetStartupInfoW
0x44b30c RaiseException
0x44b310 RtlUnwind
0x44b314 SetLastError
0x44b318 LoadLibraryExA
Library RPCRT4.dll:
0x44b334 UuidCreate

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.56.101 49183 124.229.53.1 www.download.windowsupdate.com 80
192.168.56.101 49177 24.121.242.3 help.mammothit.com 443

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 50534 114.114.114.114 53
192.168.56.101 53657 114.114.114.114 53
192.168.56.101 54991 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 65004 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 49713 224.0.0.252 5355
192.168.56.101 50568 224.0.0.252 5355
192.168.56.101 51808 224.0.0.252 5355
192.168.56.101 53210 224.0.0.252 5355
192.168.56.101 54260 224.0.0.252 5355
192.168.56.101 55368 224.0.0.252 5355
192.168.56.101 56804 224.0.0.252 5355
192.168.56.101 57756 224.0.0.252 5355
192.168.56.101 57874 224.0.0.252 5355
192.168.56.101 58970 224.0.0.252 5355
192.168.56.101 60123 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 3600
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 03 Mar 2021 06:32:16 GMT
If-None-Match: "0d8f4f3f6fd71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab 
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 19 Apr 2021 20:17:25 GMT
If-None-Match: "80f8835935d71:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.download.windowsupdate.com

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.