10.0
0-day
21 个模型检测该样本为恶意!
重新分析
更多

3ce51d75d51211fbd05c5fa831def9ce2cf418fc3c6b5b71bcb36a5e63b70cb3

da39a171c75fcc4705e0341dba534105.exe

分析耗时

99s

最近分析

文件大小

1.6MB
静态报毒 动态报毒 AI SCORE=86 ARTEMIS BSCOPE GENERIC@ML GENERICRXIW HEYJBU7XKPDT8YTJNLUJIQ HIGH CONFIDENCE KUAIZIP LUDICROUZ RDMK ULISE UNSAFE 更多
鹰眼引擎
未检测 暂无鹰眼引擎检测结果
静态判定
反病毒引擎
查杀引擎 查杀结果 查杀时间 查杀版本
McAfee GenericRXIW-NR!DA39A171C75F 20191019 6.0.6.653
Alibaba 20190527 0.3.0.5
CrowdStrike 20190702 1.0
Baidu 20190318 1.0.0.2
Avast Win32:Malware-gen 20191019 18.4.3895.0
Tencent 20191019 1.0.0.1
Kingsoft 20191019 2013.8.14.323
静态指标
Queries for the computername (2 个事件)
Time & API Arguments Status Return Repeated
1621006491.168499
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
1621006491.246499
GetComputerNameW
computer_name: OSKAR-PC
success 1 0
This executable is signed
The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 个事件)
section .gfids
The file contains an unknown PE resource name possibly indicative of a packer (1 个事件)
resource name ZIPRES
行为判定
动态指标
One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.
HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 个事件)
suspicious_features GET method with no useragent header suspicious_request GET http://i.haotukankan.com/tui/tpop/tpop4/tpop.xml
suspicious_features GET method with no useragent header suspicious_request GET http://hotnews.dftoutiao.com/hotwordsnews/getnews?qid=haotutitle&platform=pc&newstype=now
Performs some HTTP requests (23 个事件)
request GET http://i.haotukankan.com/tui/tpop/tpop4/tpop.xml
request GET http://hotnews.dftoutiao.com/hotwordsnews/getnews?qid=haotutitle&platform=pc&newstype=now
request GET http://news.7654.com/tpop4/haotushtpop4/2.html?qid=&env=0&quid=24AEBD0FDEFA6370B2156096BB11532E&titleNews=%e5%9b%bd%e5%ae%b6%e5%8d%ab%e5%81%a5%e5%a7%94%e6%b4%be%e5%87%ba%e4%b8%93%e5%ae%b6%e7%bb%84%e5%89%8d%e5%be%80%e5%ae%89%e5%be%bd&tuid=24AEBD0FDEFA6370B2156096BB11532E&1621008895
request GET http://news.7654.com/tpop4/haotushtpop4/statics/kuaiya_new/css/reset.css?1609137003
request GET http://news.7654.com/tpop4/haotushtpop4/statics/tpop1130/css/news.css?1609137003
request GET http://news.7654.com/tpop4/haotushtpop4/statics/jquery.js?1609137003
request GET http://tt-img.7654.com/image/285cb44d6b67a338d91f44fa605e366f?imageMogr2/crop/144x86
request GET http://news.7654.com/tpop4/haotushtpop4/statics/tpop1130/imgs/close.png
request GET http://news.7654.com/tpop4/haotushtpop4/statics/js/jquery.xdomainrequest.min.js?1609137003
request GET http://news.7654.com/tpop4/haotushtpop4/statics/tpop1130/js/base64.js?1609137003
request GET http://news.7654.com/tpop4/haotushtpop4/statics/tpop1130/js/tpop.js?1609137003
request GET http://show.g.mediav.com/s?type=1&of=4&newf=1&showid=UIFwyR&uid=16210089051062298&reqtimes=1&impct=2&jsonp=jQuery19108689790511174189_1621008903574&_=1621008903575
request GET http://news.7654.com/tpop4/haotushtpop4/statics/imgs/logo_haotu.png
request GET http://max-l.mediav.com/rtb?type=2&v=CGQSEDE1NTczNmU0ZWFiMTA0MWIYiaOOASC0k0EoAWIXMjI2MjM1MDI3NTEzNjE1MTQwNTAwMjFwAYgBAJoBEDE1NTczNmU0ZWFiMTA4MWKiARAxNTU3MzZlNGVhYjEwNDFi&k=Jp8ZVwAAAAA=&ver=1&exp=EABDEgBDIABDNQBDQABDVABDcgBDggBDIAJDQAJDBQBECQBECQFENwJERQJEYgJE&w=AAAAAGCeKJMAAAAAAAPPMIlf-dT4wZct0374nw&i=alrRnuGEzDVE&st=__EVENT_TIME_START__&et=__EVENT_TIME_END__
request GET http://g1xd.mediav.com/s?type=1&r=20&tid=MjI2MjM1MDI3NTEzNjE1MTQwNTAwMjE&finfo=DAABCAABAAAAIQgAAgAAAAQEAAM/gOc/otTkSQAIAAIAAAADCgADJeRSPHeyEAsIAAQAAAAEBgAGLbcGAAoAAAoADwAAAAAABQkQAA&mv_ref=news.7654.com&enup=CAABOzJVEwgAAhNVMjsA&mvid=MjI2MjM1MDI3NTEzNjE1MTQwNTAwMjE&bid=155736e4eab1041b&ugi=FeimggEVjKJjTBUCFZQCFZgCFQAAFd+TmrYDFoAIFcgBFoCr6OmpkeEFHBadgKfYh57fg+wBFQAAJbH758QPAA&uai=FZLGnAIlCBUCFtrdgLuPyaTkSxXyCCWUg7SvDyUAFRoUABwW9Nn7r9uPwvx4FQAAAA&ubi=FaKGhAEVhJXEAxWkosscFY7C5GAVBBUcFqyMmcQYFtrdlaKZj6nkSzQCFqKgkIDAAiUGFYC63Y4HFeQOFQAkFBbTtL63oryQhJUBFQAl5gIVDBUMFQIXAAAAAJpCor8A&ds=1&price=AAAAAGCeKJMAAAAAAAPPFjwgeqhBUQHyyWnlgQ==
request GET http://max-l.mediav.com/rtb?type=2&v=CGQSEDE1NTczNmU0ZWFiMTA0MWIYiaOOASC0k0EoAmIXMjI2MjM1MDI3NTEzNjE1MTQwNTAwMjFwAYgBAJoBEDE1NTczNmU0ZWFiMTA4MWKiARAxNTU3MzZlNGVhYjEwNDFi&k=J8EmOQAAAAA=&ver=1&exp=EABDEgBDIABDNQBDQABDVABDcgBDggBDIAJDQAJDBQBECQBECQFENwJERQJEYgJE&w=AAAAAGCeKJMAAAAAAAPPaZ6kbguPBZlh4ofL0A&i=al6RnuGEzDVm&st=__EVENT_TIME_START__&et=__EVENT_TIME_END__
request GET http://g1xd.mediav.com/s?type=1&r=20&tid=MjI2MjM1MDI3NTEzNjE1MTQwNTAwMjE&finfo=DAABCAABAAAABwgAAgAAAAMEAAM/Yg6bqxgXMgAIAAIAAAADCgADJeRbVWLKSl4IAAQAAAADBgAGLbcGAAoAAAoADwAAAAAAARFwAA&mv_ref=news.7654.com&enup=CAABOzJVEwgAAhNVMjsA&mvid=MjI2MjM1MDI3NTEzNjE1MTQwNTAwMjE&bid=155736e4eab1041b&ugi=FeimggEVjKJjTBUCFZQCFZgCFQAAFd+TmrYDFoAIFcgBFoCr6OmpkeEFHBadgKfYh57fg+wBFQAAJbH758QPAA&uai=FZLGnAIlCBUCFtrdgLuPyaTkSxXyCCWUg7SvDyUAFRoUABwW9Nn7r9uPwvx4FQAAAA&ubi=FfSLggEV6tbEAxXK8s0cFZS86GAVBBUcFtjcoL4YFtrdqomj1a3kSzQEFqKgkIDAAiUGFZzH4vYHFeQOFQAkFBaywJyHnPTa9bEBFQAlpAIVCBUMFQIXAAAAgORhmr8A&ds=2&price=AAAAAGCeKJMAAAAAAAPPT0r9eBnXH4hccDeOQQ==
request GET http://s3m5.fenxi.com/galileo/ac6a34648a9723474dbcea56daafeb9b.jpg
request GET http://s3m4.fenxi.com/galileo/53a2b3c1f5c06094821753c62214d370-rs_small.gif
request GET http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAURO8EJH
request GET http://ocsp2.globalsign.com/gsorganizationvalsha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBQMnk2cPe3vhNiR6XLHz4QGvBl7BwQUlt5h8b0cFilTHMDMfTuDAEDmGnwCDBhyuElvTh7HbtMMiw%3D%3D
request GET https://hm.baidu.com/hm.js?cbb8eca4662b5865ba0f0a501ba84561
request GET https://hm.baidu.com/hm.gif?cc=1&ck=1&cl=32-bit&ds=800x600&vl=377&et=0&ja=1&ln=zh-cn&lo=0&rnd=1299522948&si=cbb8eca4662b5865ba0f0a501ba84561&v=1.2.80&lv=1&sn=697&r=0&ww=396&ct=!!&u=http%3A%2F%2Fnews.7654.com%2Ftpop4%2Fhaotushtpop4%2F2.html%3Fqid%3D%26env%3D0%26quid%3D24AEBD0FDEFA6370B2156096BB11532E%26titleNews%3D%25e5%259b%25bd%25e5%25ae%25b6%25e5%258d%25ab%25e5%2581%25a5%25e5%25a7%2594%25e6%25b4%25be%25e5%2587%25ba%25e4%25b8%2593%25e5%25ae%25b6%25e7%25bb%2584%25e5%2589%258d%25e5%25be%2580%25e5%25ae%2589%25e5%25be%25bd%26tuid%3D24AEBD0FDEFA6370B2156096BB11532E%261621008895&tt=%E5%A5%BD%E5%9B%BE%E6%96%B0%E9%97%BB
Allocates read-write-execute memory (usually to unpack itself) (1 个事件)
Time & API Arguments Status Return Repeated
1621006522.308499
NtAllocateVirtualMemory
process_identifier: 2268
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
process_handle: 0xffffffff
allocation_type: 4096 (MEM_COMMIT)
base_address: 0x04f40000
success 0 0
Foreign language identified in PE resource (6 个事件)
name RT_MENU language LANG_CHINESE offset 0x00188068 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000001c
name RT_MENU language LANG_CHINESE offset 0x00188068 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000001c
name RT_DIALOG language LANG_CHINESE offset 0x00188098 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000114
name RT_STRING language LANG_CHINESE offset 0x0019a0f8 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x0000003c
name RT_ACCELERATOR language LANG_CHINESE offset 0x00188088 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000010
name RT_VERSION language LANG_CHINESE offset 0x001881b0 filetype data sublanguage SUBLANG_CHINESE_SIMPLIFIED size 0x00000278
Creates executable files on the filesystem (5 个事件)
file C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6ZOR341Z\base64[1].js
file C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JSSP0KXB\tpop[1].js
file C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\X6VHVO8H\jquery[1].js
file C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JSSP0KXB\hm[1].js
file C:\Users\Administrator.Oskar-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JSSP0KXB\jquery.xdomainrequest.min[1].js
Checks adapter addresses which can be used to detect virtual network interfaces (1 个事件)
Time & API Arguments Status Return Repeated
1621006494.262499
GetAdaptersAddresses
flags: 0
family: 0
failed 111 0
The binary likely contains encrypted or compressed data indicative of a packer (1 个事件)
entropy 7.570457710338706 section {'size_of_data': '0x00018400', 'virtual_address': '0x00182000', 'entropy': 7.570457710338706, 'name': '.rsrc', 'virtual_size': '0x000183b8'} description A section with a high entropy has been found
网络通信
Communicates with host for which no DNS query was performed (4 个事件)
host 104.16.236.79
host 104.18.87.101
host 113.108.239.196
host 172.217.24.14
Enumerates services, possibly for anti-virtualization (1 个事件)
Time & API Arguments Status Return Repeated
1621006490.996499
EnumServicesStatusW
service_handle: 0x0093a648
service_type: 59
service_status: 1
failed 0 0
Attempts to modify browser security settings (15 个事件)
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\da39a171c75fcc4705e0341dba534105.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING \da39a171c75fcc4705e0341dba534105.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\da39a171c75fcc4705e0341dba534105.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\da39a171c75fcc4705e0341dba534105.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\da39a171c75fcc4705e0341dba534105.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI \da39a171c75fcc4705e0341dba534105.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\da39a171c75fcc4705e0341dba534105.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\da39a171c75fcc4705e0341dba534105.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\da39a171c75fcc4705e0341dba534105.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\da39a171c75fcc4705e0341dba534105.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\da39a171c75fcc4705e0341dba534105.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\da39a171c75fcc4705e0341dba534105.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\da39a171c75fcc4705e0341dba534105.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\da39a171c75fcc4705e0341dba534105.exe
registry HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\da39a171c75fcc4705e0341dba534105.exe
Queries information on disks, possibly for anti-virtualization (3 个事件)
Time & API Arguments Status Return Repeated
1621006491.152499
NtCreateFile
create_disposition: 1 (FILE_OPEN)
file_handle: 0x000000f4
filepath: \??\PhysicalDrive0
desired_access: 0xc0100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE|GENERIC_WRITE)
file_attributes: 0 ()
filepath_r: \??\PhysicalDrive0
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 1 (FILE_OPENED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
success 0 0
1621006491.246499
NtCreateFile
create_disposition: 1 (FILE_OPEN)
file_handle: 0x00000130
filepath: \??\PhysicalDrive0
desired_access: 0x00100080 (FILE_READ_ATTRIBUTES|SYNCHRONIZE)
file_attributes: 0 ()
filepath_r: \??\PhysicalDrive0
create_options: 96 (FILE_NON_DIRECTORY_FILE|FILE_SYNCHRONOUS_IO_NONALERT)
status_info: 0 (FILE_SUPERSEDED)
share_access: 3 (FILE_SHARE_READ|FILE_SHARE_WRITE)
success 0 0
1621006491.246499
DeviceIoControl
input_buffer:
device_handle: 0x00000130
control_code: 2954240 ()
output_buffer: (§Lu~ $ VBOX HARDDISK 1.0VBOX HARDDISK 1.0 42566434623363626138662d3764623238312037
success 1 0
Sets or modifies WPAD proxy autoconfiguration file for traffic interception (8 个事件)
Time & API Arguments Status Return Repeated
1621006497.058499
RegSetValueExA
key_handle: 0x000004b0
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionReason
success 0 0
1621006497.058499
RegSetValueExA
key_handle: 0x000004b0
value: 0¦HÜH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecisionTime
success 0 0
1621006497.058499
RegSetValueExA
key_handle: 0x000004b0
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadDecision
success 0 0
1621006497.058499
RegSetValueExW
key_handle: 0x000004b0
value: 网络 2
regkey_r: WpadNetworkName
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{40112ABE-63B3-43C3-BE93-1440EE3AF106}\WpadNetworkName
success 0 0
1621006497.074499
RegSetValueExA
key_handle: 0x000004b4
value: 1
regkey_r: WpadDecisionReason
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
success 0 0
1621006497.074499
RegSetValueExA
key_handle: 0x000004b4
value: 0¦HÜH×
regkey_r: WpadDecisionTime
reg_type: 3 (REG_BINARY)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
success 0 0
1621006497.074499
RegSetValueExA
key_handle: 0x000004b4
value: 3
regkey_r: WpadDecision
reg_type: 4 (REG_DWORD)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
success 0 0
1621006497.277499
RegSetValueExW
key_handle: 0x00000434
value: {40112ABE-63B3-43C3-BE93-1440EE3AF106}
regkey_r: WpadLastNetwork
reg_type: 1 (REG_SZ)
regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork
success 0 0
Network activity contains more than one unique useragent (2 个事件)
process da39a171c75fcc4705e0341dba534105.exe useragent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:14.0) Gecko/20100101 Firefox/14.0.1
process da39a171c75fcc4705e0341dba534105.exe useragent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 个事件)
MicroWorld-eScan Gen:Variant.Ulise.75278
McAfee GenericRXIW-NR!DA39A171C75F
K7AntiVirus Riskware ( 0040eff71 )
K7GW Riskware ( 0040eff71 )
Symantec Trojan.Gen.2
Avast Win32:Malware-gen
BitDefender Gen:Variant.Ulise.75278
Endgame malicious (high confidence)
Emsisoft Gen:Variant.Ulise.75278 (B)
McAfee-GW-Edition Artemis!Trojan
MAX malware (ai score=86)
Antiy-AVL Trojan/Win32.Ludicrouz
Arcabit Trojan.Ulise.D1260E
GData Gen:Variant.Ulise.75278
VBA32 BScope.Adware.KuaiZip
ALYac Gen:Variant.Ulise.75278
Ad-Aware Gen:Variant.Ulise.75278
Cylance Unsafe
Rising Trojan.Generic@ML.92 (RDMK:HeYjbu7xkpdT8YTjnlujiQ)
AVG Win32:Malware-gen
Panda Trj/CI.A
Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (3 个事件)
dead_host 216.58.200.46:443
dead_host 104.16.236.79:443
dead_host 192.168.56.101:49183
可视化分析
二进制图像
暂无二进制图像 该样本未生成二进制可视化图像
运行截图
暂无运行截图 该样本运行过程中未生成截图

👋 欢迎使用 ChatHawk

我是您的恶意软件分析助手,可以帮您分析和解读恶意软件报告。请随时向我提问!

🔍 主要威胁分析
⚡ 行为特征
🛡️ 防护建议
🔧 技术手段
🎯 检测方法
🤖

PE Compile Time

2019-08-27 16:30:55

Imports

Library KERNEL32.dll:
0x520134 GetCurrentProcess
0x520138 CreateEventW
0x52013c SetEvent
0x520140 WriteFile
0x520144 CreateNamedPipeW
0x52014c GetOverlappedResult
0x520150 FlushFileBuffers
0x520154 WaitNamedPipeW
0x52015c TransactNamedPipe
0x520160 DisconnectNamedPipe
0x520164 ConnectNamedPipe
0x520168 LoadLibraryA
0x52016c IsBadReadPtr
0x520174 GetCommandLineW
0x52017c CreateDirectoryW
0x520180 GlobalAlloc
0x520184 FormatMessageW
0x520188 LocalFree
0x52018c GetVersionExW
0x520190 GlobalLock
0x520194 GlobalUnlock
0x520198 GetCurrentThreadId
0x52019c GetCurrentProcessId
0x5201ac GetStartupInfoW
0x5201b8 InitializeSListHead
0x5201c0 ResumeThread
0x5201cc DeviceIoControl
0x5201d0 GetSystemDirectoryW
0x5201d4 CreateFileA
0x5201d8 GetCurrentThread
0x5201dc GetComputerNameW
0x5201e0 GetModuleHandleA
0x5201e4 FindFirstFileW
0x5201e8 GetFileAttributesW
0x5201ec GetStdHandle
0x5201f0 WriteConsoleW
0x5201f8 EncodePointer
0x5201fc RtlUnwind
0x520200 TlsAlloc
0x520204 TlsGetValue
0x520208 TlsSetValue
0x52020c TlsFree
0x520210 GetACP
0x520214 ExitThread
0x52021c GetFileType
0x520220 FindClose
0x520224 FindFirstFileExW
0x520228 FindNextFileW
0x520238 CompareStringW
0x52023c LCMapStringW
0x520240 GetLocaleInfoW
0x520244 IsValidLocale
0x520248 GetUserDefaultLCID
0x52024c EnumSystemLocalesW
0x520250 GetStringTypeW
0x520258 GetConsoleCP
0x52025c GetConsoleMode
0x520260 SetFilePointerEx
0x520264 IsValidCodePage
0x520268 GetOEMCP
0x52026c GetCPInfo
0x520270 GetCommandLineA
0x520284 SetStdHandle
0x520288 ReadConsoleW
0x52028c SetEndOfFile
0x520290 TerminateThread
0x520294 SetLastError
0x52029c FreeLibrary
0x5202a0 GetProcAddress
0x5202a4 LoadLibraryExW
0x5202a8 DecodePointer
0x5202ac HeapAlloc
0x5202b0 HeapReAlloc
0x5202b4 HeapFree
0x5202b8 HeapSize
0x5202bc GetProcessHeap
0x5202c0 RaiseException
0x5202c8 IsDebuggerPresent
0x5202cc OutputDebugStringW
0x5202d8 MultiByteToWideChar
0x5202dc WideCharToMultiByte
0x5202e0 LoadResource
0x5202e4 LockResource
0x5202e8 SizeofResource
0x5202ec FindResourceW
0x5202f0 CloseHandle
0x5202f4 GetModuleFileNameW
0x5202f8 lstrcmpiW
0x5202fc GetModuleFileNameA
0x520300 GetModuleHandleExW
0x520304 GetTickCount
0x52030c Process32FirstW
0x520310 Process32NextW
0x520314 OpenProcess
0x520318 TerminateProcess
0x52031c GetFullPathNameW
0x520320 GetDriveTypeW
0x520324 PeekNamedPipe
0x520328 FormatMessageA
0x52032c SleepEx
0x520330 VerifyVersionInfoA
0x520334 SetErrorMode
0x520338 VerSetConditionMask
0x520344 DuplicateHandle
0x520348 SetFileTime
0x52034c SetFilePointer
0x520350 MulDiv
0x520358 LoadLibraryW
0x52035c GetLastError
0x520360 GetLocalTime
0x520364 lstrlenW
0x520368 lstrcpyW
0x52036c Sleep
0x520370 FreeResource
0x520374 GetProcessTimes
0x520378 ReadFile
0x52037c GetFileSize
0x520380 ExitProcess
0x520384 GetModuleHandleW
0x52038c CreateRemoteThread
0x520390 WriteProcessMemory
0x520394 CreateProcessW
0x520398 CopyFileW
0x5203a0 OpenMutexW
0x5203a4 GetFileSizeEx
0x5203a8 WaitForSingleObject
0x5203ac CreateThread
0x5203b0 SetFileAttributesW
0x5203b4 DeleteFileW
0x5203b8 CreateFileW
0x5203bc CreateMutexW
Library USER32.dll:
0x520420 GetWindowRect
0x520424 GetParent
0x520428 WindowFromPoint
0x520430 GetMonitorInfoW
0x520434 GetShellWindow
0x520438 GetDesktopWindow
0x52043c GetForegroundWindow
0x520440 GetSystemMetrics
0x520444 MonitorFromWindow
0x520448 SetTimer
0x52044c SetWindowLongW
0x520450 IsWindowVisible
0x520454 ShowWindow
0x520458 CallWindowProcW
0x52045c ReleaseDC
0x520460 DrawTextW
0x520464 GetDC
0x520468 GetLastInputInfo
0x52046c IsWindow
0x520470 IsIconic
0x520474 IsZoomed
0x520478 DestroyWindow
0x52047c PostQuitMessage
0x520480 SetWindowPos
0x520484 KillTimer
0x520488 GetCursorPos
0x52048c DefWindowProcW
0x520490 LoadCursorW
0x520494 RegisterClassExW
0x520498 CreateWindowExW
0x52049c UpdateWindow
0x5204a0 DispatchMessageW
0x5204a4 PeekMessageW
0x5204a8 TranslateMessage
0x5204ac AnimateWindow
0x5204b0 SetForegroundWindow
0x5204b4 LoadMenuW
0x5204b8 GetSubMenu
0x5204bc SetMenuDefaultItem
0x5204c0 TrackPopupMenu
0x5204c4 PostMessageW
0x5204c8 DestroyMenu
0x5204cc LoadImageW
0x5204d0 ClientToScreen
0x5204d4 MapVirtualKeyExW
0x5204d8 GetKeyNameTextW
0x5204dc GetKeyboardLayout
0x5204e0 IsWindowEnabled
0x5204e8 SetWindowTextW
0x5204ec PtInRect
0x5204f0 FindWindowExW
0x5204f4 wsprintfW
0x5204f8 MoveWindow
0x5204fc SetWinEventHook
0x520500 EnumWindows
0x520504 SetWindowPlacement
0x520508 GetWindowPlacement
0x52050c GetWindowTextW
0x520510 GetClassNameW
0x520514 SetCursor
0x520518 SendMessageW
0x52051c InflateRect
0x520520 UnionRect
0x520524 OffsetRect
0x520528 GetMessageW
0x52052c CharNextW
0x520530 SetFocus
0x520534 GetActiveWindow
0x520538 GetFocus
0x52053c GetKeyState
0x520540 SetCapture
0x520544 ReleaseCapture
0x520548 BeginPaint
0x52054c EndPaint
0x520550 GetUpdateRect
0x520554 InvalidateRect
0x520558 GetClientRect
0x52055c CreateCaret
0x520560 GetCaretBlinkTime
0x520564 SetCaretPos
0x520568 ScreenToClient
0x52056c MapWindowPoints
0x520570 GetSysColor
0x520574 IntersectRect
0x520578 IsRectEmpty
0x52057c GetWindowLongW
0x520580 GetWindow
0x520584 RegisterClassW
0x520588 GetClassInfoExW
0x52058c EnableWindow
0x520590 GetMenu
0x520594 SetPropW
0x520598 GetPropW
0x52059c AdjustWindowRectEx
0x5205a0 UpdateLayeredWindow
0x5205a4 GetWindowRgn
0x5205ac SetWindowRgn
0x5205b0 MessageBoxW
0x5205b4 CharPrevW
0x5205b8 FillRect
0x5205bc SetRect
0x5205c0 HideCaret
0x5205c4 ShowCaret
0x5205c8 GetCaretPos
0x5205d0 InvalidateRgn
0x5205d4 GetGUIThreadInfo
Library ole32.dll:
0x520784 CoCreateGuid
0x520788 CoInitialize
0x52078c CoCreateInstance
0x520794 CoSetProxyBlanket
0x520798 OleLockRunning
0x52079c CLSIDFromProgID
0x5207a0 CLSIDFromString
0x5207a4 ReleaseStgMedium
0x5207a8 OleDuplicateData
0x5207ac DoDragDrop
0x5207b0 RegisterDragDrop
0x5207b4 CoUninitialize
0x5207b8 CoInitializeEx
0x5207bc StringFromCLSID
0x5207c0 CoTaskMemFree
Library OLEAUT32.dll:
0x5203c4 VariantInit
0x5203c8 SysFreeString
0x5203cc VariantClear
0x5203d0 SysAllocString
Library WS2_32.dll:
0x520654 getsockname
0x520658 getpeername
0x52065c connect
0x520660 ntohl
0x520664 htonl
0x520668 closesocket
0x52066c bind
0x520670 send
0x520674 recv
0x520678 WSASetLastError
0x52067c select
0x520680 listen
0x520684 accept
0x520688 sendto
0x52068c __WSAFDIsSet
0x520690 WSAGetLastError
0x520694 WSACleanup
0x520698 WSAStartup
0x52069c gethostname
0x5206a0 gethostbyname
0x5206a4 getsockopt
0x5206a8 htons
0x5206ac ntohs
0x5206b0 setsockopt
0x5206b4 recvfrom
0x5206b8 freeaddrinfo
0x5206bc getaddrinfo
0x5206c0 WSAIoctl
0x5206c4 socket
0x5206c8 ioctlsocket
Library GDI32.dll:
0x520060 SetBkMode
0x520064 ExtSelectClipRgn
0x520068 SelectClipRgn
0x52006c RoundRect
0x520070 LineTo
0x520078 TextOutW
0x52007c GetCharABCWidthsW
0x520080 CreateSolidBrush
0x520088 CreatePenIndirect
0x52008c CombineRgn
0x520090 CreateRoundRectRgn
0x520094 PtInRegion
0x520098 CreateRectRgn
0x52009c SetWindowOrgEx
0x5200a0 GetTextMetricsW
0x5200a4 StretchBlt
0x5200ac CreateEnhMetaFileW
0x5200b0 CloseEnhMetaFile
0x5200b4 SaveDC
0x5200b8 RestoreDC
0x5200bc CreatePen
0x5200c0 CreateFontIndirectW
0x5200c4 CreateDIBitmap
0x5200cc BitBlt
0x5200d0 GdiFlush
0x5200d4 GetBitmapBits
0x5200d8 SetBitmapBits
0x5200dc DeleteDC
0x5200e0 SetTextColor
0x5200e4 GetObjectW
0x5200e8 SetStretchBltMode
0x5200ec GetObjectA
0x5200f0 PlayEnhMetaFile
0x5200f4 MoveToEx
0x5200f8 SetBkColor
0x5200fc GetClipBox
0x520100 GetDeviceCaps
0x520104 SelectObject
0x520108 CreateDIBSection
0x52010c CreateCompatibleDC
0x520110 GetStockObject
0x520114 DeleteObject
Library ADVAPI32.dll:
0x520004 RegOpenCurrentUser
0x52000c RegQueryInfoKeyW
0x520010 LookupAccountNameW
0x520018 CryptEncrypt
0x52001c CryptImportKey
0x520020 CryptDestroyKey
0x520024 CryptDestroyHash
0x520028 CryptGenRandom
0x52002c CryptReleaseContext
0x520034 CryptGetHashParam
0x520038 CryptHashData
0x52003c CryptCreateHash
0x520044 EnumServicesStatusW
0x520048 OpenSCManagerW
Library SHELL32.dll:
0x5203d8 Shell_NotifyIconW
0x5203dc
0x5203e0 ShellExecuteW
0x5203e8 DragQueryFileW
0x5203ec SHGetFolderPathA
Library SHLWAPI.dll:
0x5203f4 StrIsIntlEqualW
0x5203f8 StrStrIA
0x5203fc PathFileExistsA
0x520400 PathFindFileNameW
0x520404 StrCpyW
0x520408 PathAppendA
0x52040c PathRemoveFileSpecW
0x520410 PathFindFileNameA
0x520414 StrStrW
0x520418 StrCmpIW
Library WININET.dll:
0x5205ec InternetReadFile
0x5205f0 InternetSetOptionW
0x5205f4 InternetConnectA
0x5205f8 HttpSendRequestA
0x5205fc InternetCloseHandle
0x520600 InternetOpenA
0x520604 HttpOpenRequestA
0x520608 HttpQueryInfoA
Library imagehlp.dll:
Library VERSION.dll:
0x5205dc GetFileVersionInfoW
0x5205e0 VerQueryValueW
Library WLDAP32.dll:
0x520610
0x520614
0x520618
0x52061c
0x520620
0x520624
0x520628
0x52062c
0x520630
0x520634
0x520638
0x52063c
0x520640
0x520644
0x520648
0x52064c
Library IMM32.dll:
0x52011c ImmReleaseContext
0x520124 ImmGetContext
Library COMCTL32.dll:
0x520050 _TrackMouseEvent
0x520054
Library gdiplus.dll:
0x5206d0 GdipDisposeImage
0x5206d4 GdipGetImageHeight
0x5206d8 GdipCloneImage
0x5206fc GdipGetPropertyItem
0x520700 GdipDrawImageRectI
0x520704 GdipGetImageWidth
0x520714 GdiplusStartup
0x520718 GdiplusShutdown
0x52071c GdipAlloc
0x520720 GdipFree
0x520724 GdipCloneBrush
0x520728 GdipDeleteBrush
0x52072c GdipCreateSolidFill
0x520730 GdipCreatePen1
0x520734 GdipDeletePen
0x520738 GdipSetPenMode
0x52073c GdipCreateFromHDC
0x520740 GdipDeleteGraphics
0x520750 GdipDrawRectangleI
0x520754 GdipFillRectangleI
0x520760 GdipDeleteFont
0x520764 GdipDrawString
0x520768 GdipMeasureString
Library IPHLPAPI.DLL:
0x52012c GetAdaptersInfo

Hosts

No hosts contacted.

DNS

Name Response Post-Analysis Lookup
time.windows.com A 20.189.79.72
CNAME time.microsoft.akadns.net
ocsp2.globalsign.com A 104.18.21.226
CNAME global.prd.cdn.globalsign.com
CNAME cdn.globalsigncdn.com.cdn.cloudflare.net
A 104.18.20.226 		104.18.21.226
news.7654.com A 1.81.2.59
A 150.138.232.125
CNAME 625020.p23.tc.cdntip.com
CNAME news.7654.com.cdn.dnsv1.com
A 150.138.232.70
A 150.138.232.196
A 219.144.82.121
A 150.138.232.180
A 219.144.82.183 		219.144.82.183
max-l.mediav.com CNAME max.mdvdns.qhcdn.com
A 180.163.247.134 		180.163.247.134
dns.msftncsi.com AAAA fd3e:4f5a:5b81::1 131.107.255.255
dns.msftncsi.com A 131.107.255.255 131.107.255.255
i.haotukankan.com CNAME static.haotukankan.com.cdn.dnsv1.com
A 222.186.54.61
A 58.216.87.99
A 222.186.49.69
A 180.101.217.250
A 110.81.153.240
A 122.246.10.113
A 180.101.153.99
A 59.63.235.200
A 122.224.48.203
CNAME 1837216.sched.sma.tdnsv5.com 		122.224.48.203
hotnews.dftoutiao.com A 106.75.18.180 106.75.18.180
ocsp.globalsign.com A 104.18.21.226
CNAME global.prd.cdn.globalsign.com
CNAME cdn.globalsigncdn.com.cdn.cloudflare.net
A 104.18.20.226 		104.18.20.226
g1xd.mediav.com CNAME ss-lb.mdvdns.qhcdn.com
A 180.163.255.159 		180.163.255.159
clients2.google.com A 216.58.200.46
CNAME clients.l.google.com 		172.217.27.142
s3m5.fenxi.com CNAME s3m5.fenxi.com.qh-cdn.com
A 124.225.165.195
CNAME webcdn.360qhcdn.com
A 124.225.165.194 		124.225.165.195
tt-img.7654.com A 222.186.54.61
A 59.63.235.200
A 58.216.87.99
A 222.186.49.69
A 180.101.217.250
A 110.81.153.240
A 122.246.10.113
A 180.101.153.99
CNAME b34dyxjb.sched.sma.tdnsv5.com
A 122.224.48.203
CNAME tt-img.7654.com.cdn.dnsv1.com 		122.224.48.203
show.g.mediav.com CNAME max.mdvdns.qhcdn.com
A 180.163.247.134 		180.163.247.134
pbstat.haotukankan.com
s3m4.fenxi.com CNAME s3m4.fenxi.com.qh-cdn.com
CNAME webcdn.360qhcdn.com
A 124.225.165.194
A 124.225.165.195 		124.225.165.194
hm.baidu.com CNAME hm.e.shifen.com
A 124.237.176.160 		124.237.176.160
teredo.ipv6.microsoft.com

TCP

Source Source Port Destination Destination Port
104.16.236.79 443 192.168.56.101 49224
104.16.236.79 443 192.168.56.101 49232
104.16.236.79 443 192.168.56.101 49234
104.18.87.101 443 192.168.56.101 49233
192.168.56.101 49203 104.18.20.226 ocsp.globalsign.com 80
192.168.56.101 49206 104.18.20.226 ocsp.globalsign.com 80
192.168.56.101 49180 106.75.18.180 hotnews.dftoutiao.com 80
192.168.56.101 49186 110.81.153.240 tt-img.7654.com 80
192.168.56.101 49179 122.246.10.113 tt-img.7654.com 80
192.168.56.101 49197 124.225.165.194 s3m4.fenxi.com 80
192.168.56.101 49198 124.225.165.195 s3m4.fenxi.com 80
192.168.56.101 49189 124.237.176.160 hm.baidu.com 443
192.168.56.101 49182 150.138.232.180 news.7654.com 80
192.168.56.101 49184 150.138.232.180 news.7654.com 80
192.168.56.101 49185 150.138.232.180 news.7654.com 80
192.168.56.101 49188 180.163.247.134 show.g.mediav.com 80
192.168.56.101 49193 180.163.247.134 show.g.mediav.com 80
192.168.56.101 49195 180.163.247.134 show.g.mediav.com 80
192.168.56.101 49194 180.163.255.159 g1xd.mediav.com 80
192.168.56.101 49196 180.163.255.159 g1xd.mediav.com 80

UDP

Source Source Port Destination Destination Port
192.168.56.101 49235 114.114.114.114 53
192.168.56.101 53210 114.114.114.114 53
192.168.56.101 53380 114.114.114.114 53
192.168.56.101 53500 114.114.114.114 53
192.168.56.101 54178 114.114.114.114 53
192.168.56.101 56539 114.114.114.114 53
192.168.56.101 57236 114.114.114.114 53
192.168.56.101 57756 114.114.114.114 53
192.168.56.101 58970 114.114.114.114 53
192.168.56.101 60088 114.114.114.114 53
192.168.56.101 60123 114.114.114.114 53
192.168.56.101 60221 114.114.114.114 53
192.168.56.101 60384 114.114.114.114 53
192.168.56.101 62318 114.114.114.114 53
192.168.56.101 62912 114.114.114.114 53
192.168.56.101 63429 114.114.114.114 53
192.168.56.101 137 192.168.56.255 137
192.168.56.101 138 192.168.56.255 138
192.168.56.101 123 20.189.79.72 time.windows.com 123
192.168.56.101 49713 224.0.0.252 5355

HTTP & HTTPS Requests

URI Data
http://i.haotukankan.com/tui/tpop/tpop4/tpop.xml 
GET /tui/tpop/tpop4/tpop.xml HTTP/1.1
Host: i.haotukankan.com
Accept: */*
http://tt-img.7654.com/image/285cb44d6b67a338d91f44fa605e366f?imageMogr2/crop/144x86 
GET /image/285cb44d6b67a338d91f44fa605e366f?imageMogr2/crop/144x86 HTTP/1.1
Accept: */*
Referer: http://news.7654.com/tpop4/haotushtpop4/2.html?qid=&env=0&quid=24AEBD0FDEFA6370B2156096BB11532E&titleNews=%e5%9b%bd%e5%ae%b6%e5%8d%ab%e5%81%a5%e5%a7%94%e6%b4%be%e5%87%ba%e4%b8%93%e5%ae%b6%e7%bb%84%e5%89%8d%e5%be%80%e5%ae%89%e5%be%bd&tuid=24AEBD0FDEFA6370B2156096BB11532E&1621008895
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: tt-img.7654.com
Connection: Keep-Alive
http://news.7654.com/tpop4/haotushtpop4/statics/kuaiya_new/css/reset.css?1609137003 
GET /tpop4/haotushtpop4/statics/kuaiya_new/css/reset.css?1609137003 HTTP/1.1
Accept: */*
Referer: http://news.7654.com/tpop4/haotushtpop4/2.html?qid=&env=0&quid=24AEBD0FDEFA6370B2156096BB11532E&titleNews=%e5%9b%bd%e5%ae%b6%e5%8d%ab%e5%81%a5%e5%a7%94%e6%b4%be%e5%87%ba%e4%b8%93%e5%ae%b6%e7%bb%84%e5%89%8d%e5%be%80%e5%ae%89%e5%be%bd&tuid=24AEBD0FDEFA6370B2156096BB11532E&1621008895
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: news.7654.com
Connection: Keep-Alive
http://news.7654.com/tpop4/haotushtpop4/statics/imgs/logo_haotu.png 
GET /tpop4/haotushtpop4/statics/imgs/logo_haotu.png HTTP/1.1
Accept: */*
Referer: http://news.7654.com/tpop4/haotushtpop4/2.html?qid=&env=0&quid=24AEBD0FDEFA6370B2156096BB11532E&titleNews=%e5%9b%bd%e5%ae%b6%e5%8d%ab%e5%81%a5%e5%a7%94%e6%b4%be%e5%87%ba%e4%b8%93%e5%ae%b6%e7%bb%84%e5%89%8d%e5%be%80%e5%ae%89%e5%be%bd&tuid=24AEBD0FDEFA6370B2156096BB11532E&1621008895
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: news.7654.com
Connection: Keep-Alive
http://news.7654.com/tpop4/haotushtpop4/2.html?qid=&env=0&quid=24AEBD0FDEFA6370B2156096BB11532E&titleNews=%e5%9b%bd%e5%ae%b6%e5%8d%ab%e5%81%a5%e5%a7%94%e6%b4%be%e5%87%ba%e4%b8%93%e5%ae%b6%e7%bb%84%e5%89%8d%e5%be%80%e5%ae%89%e5%be%bd&tuid=24AEBD0FDEFA6370B2156096BB11532E&1621008895 
GET /tpop4/haotushtpop4/2.html?qid=&env=0&quid=24AEBD0FDEFA6370B2156096BB11532E&titleNews=%e5%9b%bd%e5%ae%b6%e5%8d%ab%e5%81%a5%e5%a7%94%e6%b4%be%e5%87%ba%e4%b8%93%e5%ae%b6%e7%bb%84%e5%89%8d%e5%be%80%e5%ae%89%e5%be%bd&tuid=24AEBD0FDEFA6370B2156096BB11532E&1621008895 HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: news.7654.com
Connection: Keep-Alive
http://max-l.mediav.com/rtb?type=2&v=CGQSEDE1NTczNmU0ZWFiMTA0MWIYiaOOASC0k0EoAWIXMjI2MjM1MDI3NTEzNjE1MTQwNTAwMjFwAYgBAJoBEDE1NTczNmU0ZWFiMTA4MWKiARAxNTU3MzZlNGVhYjEwNDFi&k=Jp8ZVwAAAAA=&ver=1&exp=EABDEgBDIABDNQBDQABDVABDcgBDggBDIAJDQAJDBQBECQBECQFENwJERQJEYgJE&w=AAAAAGCeKJMAAAAAAAPPMIlf-dT4wZct0374nw&i=alrRnuGEzDVE&st=__EVENT_TIME_START__&et=__EVENT_TIME_END__ 
GET /rtb?type=2&v=CGQSEDE1NTczNmU0ZWFiMTA0MWIYiaOOASC0k0EoAWIXMjI2MjM1MDI3NTEzNjE1MTQwNTAwMjFwAYgBAJoBEDE1NTczNmU0ZWFiMTA4MWKiARAxNTU3MzZlNGVhYjEwNDFi&k=Jp8ZVwAAAAA=&ver=1&exp=EABDEgBDIABDNQBDQABDVABDcgBDggBDIAJDQAJDBQBECQBECQFENwJERQJEYgJE&w=AAAAAGCeKJMAAAAAAAPPMIlf-dT4wZct0374nw&i=alrRnuGEzDVE&st=__EVENT_TIME_START__&et=__EVENT_TIME_END__ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: http://news.7654.com/tpop4/haotushtpop4/2.html?qid=&env=0&quid=24AEBD0FDEFA6370B2156096BB11532E&titleNews=%e5%9b%bd%e5%ae%b6%e5%8d%ab%e5%81%a5%e5%a7%94%e6%b4%be%e5%87%ba%e4%b8%93%e5%ae%b6%e7%bb%84%e5%89%8d%e5%be%80%e5%ae%89%e5%be%bd&tuid=24AEBD0FDEFA6370B2156096BB11532E&1621008895
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: max-l.mediav.com
Connection: Keep-Alive
Cookie: v=6!zaWdd-[<8YFI4pfdqB; ckmts=PUbWcCXr,L6cWcCXr
http://g1xd.mediav.com/s?type=1&r=20&tid=MjI2MjM1MDI3NTEzNjE1MTQwNTAwMjE&finfo=DAABCAABAAAAIQgAAgAAAAQEAAM/gOc/otTkSQAIAAIAAAADCgADJeRSPHeyEAsIAAQAAAAEBgAGLbcGAAoAAAoADwAAAAAABQkQAA&mv_ref=news.7654.com&enup=CAABOzJVEwgAAhNVMjsA&mvid=MjI2MjM1MDI3NTEzNjE1MTQwNTAwMjE&bid=155736e4eab1041b&ugi=FeimggEVjKJjTBUCFZQCFZgCFQAAFd+TmrYDFoAIFcgBFoCr6OmpkeEFHBadgKfYh57fg+wBFQAAJbH758QPAA&uai=FZLGnAIlCBUCFtrdgLuPyaTkSxXyCCWUg7SvDyUAFRoUABwW9Nn7r9uPwvx4FQAAAA&ubi=FaKGhAEVhJXEAxWkosscFY7C5GAVBBUcFqyMmcQYFtrdlaKZj6nkSzQCFqKgkIDAAiUGFYC63Y4HFeQOFQAkFBbTtL63oryQhJUBFQAl5gIVDBUMFQIXAAAAAJpCor8A&ds=1&price=AAAAAGCeKJMAAAAAAAPPFjwgeqhBUQHyyWnlgQ== 
GET /s?type=1&r=20&tid=MjI2MjM1MDI3NTEzNjE1MTQwNTAwMjE&finfo=DAABCAABAAAAIQgAAgAAAAQEAAM/gOc/otTkSQAIAAIAAAADCgADJeRSPHeyEAsIAAQAAAAEBgAGLbcGAAoAAAoADwAAAAAABQkQAA&mv_ref=news.7654.com&enup=CAABOzJVEwgAAhNVMjsA&mvid=MjI2MjM1MDI3NTEzNjE1MTQwNTAwMjE&bid=155736e4eab1041b&ugi=FeimggEVjKJjTBUCFZQCFZgCFQAAFd+TmrYDFoAIFcgBFoCr6OmpkeEFHBadgKfYh57fg+wBFQAAJbH758QPAA&uai=FZLGnAIlCBUCFtrdgLuPyaTkSxXyCCWUg7SvDyUAFRoUABwW9Nn7r9uPwvx4FQAAAA&ubi=FaKGhAEVhJXEAxWkosscFY7C5GAVBBUcFqyMmcQYFtrdlaKZj6nkSzQCFqKgkIDAAiUGFYC63Y4HFeQOFQAkFBbTtL63oryQhJUBFQAl5gIVDBUMFQIXAAAAAJpCor8A&ds=1&price=AAAAAGCeKJMAAAAAAAPPFjwgeqhBUQHyyWnlgQ== HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Referer: http://news.7654.com/tpop4/haotushtpop4/2.html?qid=&env=0&quid=24AEBD0FDEFA6370B2156096BB11532E&titleNews=%e5%9b%bd%e5%ae%b6%e5%8d%ab%e5%81%a5%e5%a7%94%e6%b4%be%e5%87%ba%e4%b8%93%e5%ae%b6%e7%bb%84%e5%89%8d%e5%be%80%e5%ae%89%e5%be%bd&tuid=24AEBD0FDEFA6370B2156096BB11532E&1621008895
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: g1xd.mediav.com
Connection: Keep-Alive
Cookie: v=6!zaWdd-[<8YFI4pfdqB; ckmts=PUbWcCXr,L6cWcCXr
http://show.g.mediav.com/s?type=1&of=4&newf=1&showid=UIFwyR&uid=16210089051062298&reqtimes=1&impct=2&jsonp=jQuery19108689790511174189_1621008903574&_=1621008903575 
GET /s?type=1&of=4&newf=1&showid=UIFwyR&uid=16210089051062298&reqtimes=1&impct=2&jsonp=jQuery19108689790511174189_1621008903574&_=1621008903575 HTTP/1.1
Accept: */*
Referer: http://news.7654.com/tpop4/haotushtpop4/2.html?qid=&env=0&quid=24AEBD0FDEFA6370B2156096BB11532E&titleNews=%e5%9b%bd%e5%ae%b6%e5%8d%ab%e5%81%a5%e5%a7%94%e6%b4%be%e5%87%ba%e4%b8%93%e5%ae%b6%e7%bb%84%e5%89%8d%e5%be%80%e5%ae%89%e5%be%bd&tuid=24AEBD0FDEFA6370B2156096BB11532E&1621008895
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: show.g.mediav.com
Connection: Keep-Alive
http://hotnews.dftoutiao.com/hotwordsnews/getnews?qid=haotutitle&platform=pc&newstype=now 
GET /hotwordsnews/getnews?qid=haotutitle&platform=pc&newstype=now HTTP/1.1
Host: hotnews.dftoutiao.com
Accept: */*
http://news.7654.com/tpop4/haotushtpop4/statics/tpop1130/js/tpop.js?1609137003 
GET /tpop4/haotushtpop4/statics/tpop1130/js/tpop.js?1609137003 HTTP/1.1
Accept: */*
Referer: http://news.7654.com/tpop4/haotushtpop4/2.html?qid=&env=0&quid=24AEBD0FDEFA6370B2156096BB11532E&titleNews=%e5%9b%bd%e5%ae%b6%e5%8d%ab%e5%81%a5%e5%a7%94%e6%b4%be%e5%87%ba%e4%b8%93%e5%ae%b6%e7%bb%84%e5%89%8d%e5%be%80%e5%ae%89%e5%be%bd&tuid=24AEBD0FDEFA6370B2156096BB11532E&1621008895
Accept-Language: zh-CN
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: news.7654.com
Connection: Keep-Alive

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.