Exes_7c416c2b_jpg.json

1.  
2. [*] MalFamily: "Shade"
3.  
4. [*] MalScore: 10.0
5.  
6. [*] File Name: "Exes_7c416c2b.jpg"
7. [*] File Size: 1217800
8. [*] File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
9. [*] SHA256: "ecbe8ab4a1d08eac6a0cab99ace3e0eb6a37a9834e2996c208cdf91b351ff022"
10. [*] MD5: "cad93bdcbcf806d7409e6899d1d40d5d"
11. [*] SHA1: "e543186e78d2d36a00dbc187e34e2379a7f993d7"
12. [*] SHA512: "d95b2b443ffd6b4dd3a97a721ae826a0ea9ff0876f3a5cc312d40d73be5f8f940ffa1892a09e4ce6d6ed4300b00016a87ee0f0de44b5f3fb8d2f86797a94e457"
13. [*] CRC32: "7C416C2B"
14. [*] SSDEEP: "24576:V/KnFivASBMXgRNhrW+PZrtNeGmUVIjtLpw5tLpwX:1gFivAuMX6NQ+PZrtwGmcutLUtLk"
15.  
16. [*] Process Execution: [
17. "Exes_7c416c2b.jpg"
18. ]
19.  
20. [*] Signatures Detected: [
21. {
22. "Description": "Creates RWX memory",
23. "Details": []
24. },
25. {
26. "Description": "Attempts to connect to a dead IP:Port (6 unique times)",
27. "Details": [
28. {
29. "IP": "142.93.232.80:443"
30. },
31. {
32. "IP": "131.188.40.189:443"
33. },
34. {
35. "IP": "51.15.56.123:9001"
36. },
37. {
38. "IP": "136.243.82.132:9001"
39. },
40. {
41. "IP": "171.25.193.9:80"
42. },
43. {
44. "IP": "163.172.142.92:443"
45. }
46. ]
47. },
48. {
49. "Description": "Starts servers listening on 127.0.0.1:41822",
50. "Details": []
51. },
52. {
53. "Description": "Reads data out of its own binary image",
54. "Details": [
55. {
56. "self_read": "process: Exes_7c416c2b.jpg, pid: 960, offset: 0x00000000, length: 0x00129508"
57. }
58. ]
59. },
60. {
61. "Description": "Performs some HTTP requests",
62. "Details": [
63. {
64. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D"
65. },
66. {
67. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D"
68. },
69. {
70. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D"
71. },
72. {
73. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D"
74. },
75. {
76. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D"
77. },
78. {
79. "url": "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D"
80. },
81. {
82. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D"
83. },
84. {
85. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D"
86. },
87. {
88. "url": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab"
89. },
90. {
91. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D"
92. },
93. {
94. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D"
95. },
96. {
97. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D"
98. },
99. {
100. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D"
101. },
102. {
103. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D"
104. },
105. {
106. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D"
107. },
108. {
109. "url": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D"
110. },
111. {
112. "url": "http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D"
113. },
114. {
115. "url": "http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D"
116. },
117. {
118. "url": "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D"
119. },
120. {
121. "url": "http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D"
122. },
123. {
124. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D"
125. },
126. {
127. "url": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D"
128. },
129. {
130. "url": "http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D"
131. },
132. {
133. "url": "http://redirector.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe"
134. },
135. {
136. "url": "http://r13---sn-bvvbax-2ime.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes"
137. }
138. ]
139. },
140. {
141. "Description": "The binary likely contains encrypted or compressed data.",
142. "Details": [
143. {
144. "section": "name: .data, entropy: 7.30, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE, raw_size: 0x000fe800, virtual_size: 0x000fec20"
145. },
146. {
147. "section": "name: .rsrc, entropy: 7.24, characteristics: IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ, raw_size: 0x00024c00, virtual_size: 0x00101a78"
148. }
149. ]
150. },
151. {
152. "Description": "Installs Tor on the infected machine",
153. "Details": []
154. },
155. {
156. "Description": "Installs itself for autorun at Windows startup",
157. "Details": [
158. {
159. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Client Server Runtime Subsystem"
160. },
161. {
162. "data": "\"C:\\ProgramData\\Windows\\csrss.exe\""
163. }
164. ]
165. },
166. {
167. "Description": "Collects information about installed applications",
168. "Details": [
169. {
170. "Program": "Google Update Helper"
171. },
172. {
173. "Program": "Python 3.7.2"
174. },
175. {
176. "Program": "Microsoft Excel MUI 2013"
177. },
178. {
179. "Program": "Microsoft Outlook MUI 2013"
180. },
181. {
182. "Program": "Python 2.7.15"
183. },
184. {
185. "Program": "Google Chrome"
186. },
187. {
188. "Program": "Adobe Flash Player 29 NPAPI"
189. },
190. {
191. "Program": "Adobe Flash Player 29 ActiveX"
192. },
193. {
194. "Program": "Microsoft DCF MUI 2013"
195. },
196. {
197. "Program": "Microsoft Access MUI 2013"
198. },
199. {
200. "Program": "Microsoft Office Proofing Tools 2013 - English"
201. },
202. {
203. "Program": "Adobe Acrobat Reader DC"
204. },
205. {
206. "Program": "Microsoft Publisher MUI 2013"
207. },
208. {
209. "Program": "Microsoft Office Shared MUI 2013"
210. },
211. {
212. "Program": "Microsoft Office OSM MUI 2013"
213. },
214. {
215. "Program": "Microsoft InfoPath MUI 2013"
216. },
217. {
218. "Program": "Microsoft Office Shared Setup Metadata MUI 2013"
219. },
220. {
221. "Program": "Outils de v\\xc3\\xa9rification linguistique 2013 de Microsoft Office\\xc2\\xa0- Fran\\xc3\\xa7ais"
222. },
223. {
224. "Program": "Microsoft Word MUI 2013"
225. },
226. {
227. "Program": "Microsoft OneDrive"
228. },
229. {
230. "Program": "Microsoft Groove MUI 2013"
231. },
232. {
233. "Program": "Microsoft Office Proofing Tools 2013 - Espa\\xc3\\xb1ol"
234. },
235. {
236. "Program": "Python 2.7 PIL-1.1.7"
237. },
238. {
239. "Program": "Microsoft Access Setup Metadata MUI 2013"
240. },
241. {
242. "Program": "Microsoft Office OSM UX MUI 2013"
243. },
244. {
245. "Program": "Java Auto Updater"
246. },
247. {
248. "Program": "Microsoft PowerPoint MUI 2013"
249. },
250. {
251. "Program": "Microsoft Office Professional Plus 2013"
252. },
253. {
254. "Program": "Adobe Refresh Manager"
255. },
256. {
257. "Program": "Microsoft Office Proofing 2013"
258. },
259. {
260. "Program": "Microsoft Lync MUI 2013"
261. },
262. {
263. "Program": "Python Launcher"
264. },
265. {
266. "Program": "Microsoft OneNote MUI 2013"
267. }
268. ]
269. },
270. {
271. "Description": "Creates a hidden or system file",
272. "Details": [
273. {
274. "file": "C:\\ProgramData\\Windows\\"
275. }
276. ]
277. },
278. {
279. "Description": "File has been identified by 53 Antiviruses on VirusTotal as malicious",
280. "Details": [
281. {
282. "MicroWorld-eScan": "Trojan.GenericKD.31615007"
283. },
284. {
285. "CAT-QuickHeal": "Trojan.Azden"
286. },
287. {
288. "McAfee": "Trojan-FQSD!CAD93BDCBCF8"
289. },
290. {
291. "Cylance": "Unsafe"
292. },
293. {
294. "VIPRE": "Trojan.Win32.Generic!BT"
295. },
296. {
297. "AegisLab": "Trojan.Win32.Shade.4!c"
298. },
299. {
300. "BitDefender": "Trojan.GenericKD.31615007"
301. },
302. {
303. "K7GW": "Trojan ( 00546c801 )"
304. },
305. {
306. "K7AntiVirus": "Trojan ( 00546c801 )"
307. },
308. {
309. "Arcabit": "Trojan.Generic.D1E2681F"
310. },
311. {
312. "NANO-Antivirus": "Trojan.Win32.Kryptik.fmnowj"
313. },
314. {
315. "ESET-NOD32": "Win32/Filecoder.Shade.A"
316. },
317. {
318. "APEX": "Malicious"
319. },
320. {
321. "Paloalto": "generic.ml"
322. },
323. {
324. "Kaspersky": "HEUR:Trojan-Ransom.Win32.Shade.gen"
325. },
326. {
327. "Alibaba": "Ransom:Win32/Shade.50731913"
328. },
329. {
330. "Tencent": "Win32.Trojan.Filecoder.Tccf"
331. },
332. {
333. "Endgame": "malicious (high confidence)"
334. },
335. {
336. "Emsisoft": "Trojan-Ransom.Shade (A)"
337. },
338. {
339. "Comodo": "Malware@#1itqh2rz0y47o"
340. },
341. {
342. "F-Secure": "Trojan.TR/AD.Troldesh.jqrop"
343. },
344. {
345. "DrWeb": "Trojan.Encoder.858"
346. },
347. {
348. "Zillya": "Trojan.Shade.Win32.985"
349. },
350. {
351. "Invincea": "heuristic"
352. },
353. {
354. "McAfee-GW-Edition": "Trojan-FQSD!CAD93BDCBCF8"
355. },
356. {
357. "Trapmine": "suspicious.low.ml.score"
358. },
359. {
360. "FireEye": "Generic.mg.cad93bdcbcf806d7"
361. },
362. {
363. "Ikarus": "Trojan-Ransom.Crypted007"
364. },
365. {
366. "Cyren": "W32/Trojan.HXGR-2675"
367. },
368. {
369. "Jiangmin": "Trojan.Shade.qz"
370. },
371. {
372. "Webroot": "W32.Malware.Gen"
373. },
374. {
375. "Avira": "TR/AD.Troldesh.jqrop"
376. },
377. {
378. "Antiy-AVL": "Trojan[Ransom]/Win32.Shade"
379. },
380. {
381. "Microsoft": "Trojan:Win32/Emotet.PB"
382. },
383. {
384. "ZoneAlarm": "HEUR:Trojan-Ransom.Win32.Shade.gen"
385. },
386. {
387. "GData": "Trojan.GenericKD.31615007"
388. },
389. {
390. "Sophos": "Mal/Cerber-AL"
391. },
392. {
393. "AhnLab-V3": "Trojan/Win32.Hermesran.R254356"
394. },
395. {
396. "Acronis": "suspicious"
397. },
398. {
399. "VBA32": "TrojanRansom.Shade"
400. },
401. {
402. "ALYac": "Trojan.Ransom.Shade"
403. },
404. {
405. "Ad-Aware": "Trojan.GenericKD.31615007"
406. },
407. {
408. "Malwarebytes": "Trojan.MalPack"
409. },
410. {
411. "TrendMicro-HouseCall": "TrojanSpy.Win32.EMOTET.SMA"
412. },
413. {
414. "Rising": "Trojan.Kryptik!8.8 (CLOUD)"
415. },
416. {
417. "SentinelOne": "DFI - Malicious PE"
418. },
419. {
420. "Fortinet": "W32/Kryptik.GQEV!tr"
421. },
422. {
423. "MaxSecure": "Trojan.Malware.74102313.susgen"
424. },
425. {
426. "AVG": "Win32:Trojan-gen"
427. },
428. {
429. "Cybereason": "malicious.cbcf80"
430. },
431. {
432. "Avast": "Win32:Trojan-gen"
433. },
434. {
435. "CrowdStrike": "win/malicious_confidence_100% (W)"
436. },
437. {
438. "Qihoo-360": "HEUR/QVM20.1.E8FF.Malware.Gen"
439. }
440. ]
441. },
442. {
443. "Description": "Creates a copy of itself",
444. "Details": [
445. {
446. "copy": "C:\\ProgramData\\Windows\\csrss.exe"
447. }
448. ]
449. },
450. {
451. "Description": "Harvests information related to installed mail clients",
452. "Details": [
453. {
454. "file": "C:\\Users\\user\\Documents\\Outlook Files\\Outlook.pst"
455. }
456. ]
457. },
458. {
459. "Description": "Anomalous binary characteristics",
460. "Details": [
461. {
462. "anomaly": "Actual checksum does not match that reported in PE header"
463. }
464. ]
465. },
466. {
467. "Description": "Created network traffic indicative of malicious activity",
468. "Details": [
469. {
470. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 177"
471. },
472. {
473. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 147"
474. },
475. {
476. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 187"
477. },
478. {
479. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 507"
480. },
481. {
482. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 131"
483. },
484. {
485. "signature": "ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 125"
486. }
487. ]
488. }
489. ]
490.  
491. [*] Started Service: []
492.  
493. [*] Executed Commands: []
494.  
495. [*] Mutexes: []
496.  
497. [*] Modified Files: [
498. "\\??\\PIPE\\wkssvc",
499. "C:\\ProgramData\\Windows\\csrss.exe",
500. "\\??\\PIPE\\srvsvc",
501. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\lock",
502. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\state.tmp",
503. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\state",
504. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus.tmp",
505. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus",
506. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-certs.tmp",
507. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-certs",
508. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-microdesc-consensus.tmp",
509. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-microdesc-consensus"
510. ]
511.  
512. [*] Deleted Files: [
513. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\state.tmp",
514. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus.tmp",
515. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-certs.tmp",
516. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\unverified-microdesc-consensus",
517. "C:\\Users\\user\\AppData\\Local\\Temp\\6893A5D897\\cached-microdesc-consensus.tmp"
518. ]
519.  
520. [*] Modified Registry Keys: [
521. "HKEY_LOCAL_MACHINE\\SOFTWARE\\System32\\Configuration\\",
522. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\System32\\Configuration\\xi",
523. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Client Server Runtime Subsystem",
524. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\System32\\Configuration\\xVersion"
525. ]
526.  
527. [*] Deleted Registry Keys: []
528.  
529. [*] DNS Communications: []
530.  
531. [*] Domains: []
532.  
533. [*] Network Communication - ICMP: []
534.  
535. [*] Network Communication - HTTP: [
536. {
537. "count": 1,
538. "body": "",
539. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
540. "user-agent": "Microsoft-CryptoAPI/6.1",
541. "method": "GET",
542. "host": "ocsp.digicert.com",
543. "version": "1.1",
544. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D",
545. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAPxtOFfOoLxFJZ4s9fYR1w%3D HTTP/1.1\r\nCache-Control: max-age = 128165\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 11:02:13 GMT\r\nIf-None-Match: \"5c961235-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
546. "port": 80
547. },
548. {
549. "count": 1,
550. "body": "",
551. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
552. "user-agent": "Microsoft-CryptoAPI/6.1",
553. "method": "GET",
554. "host": "ocsp.digicert.com",
555. "version": "1.1",
556. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D",
557. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEA%2BdzSc7B3UzA8k03selSwo%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
558. "port": 80
559. },
560. {
561. "count": 1,
562. "body": "",
563. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
564. "user-agent": "Microsoft-CryptoAPI/6.1",
565. "method": "GET",
566. "host": "ocsp.digicert.com",
567. "version": "1.1",
568. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D",
569. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSPwl%2BrBFlJbvzLXU1bGW08VysJ2wQUj%2Bh%2B8G0yagAFI8dwl2o6kP9r6tQCEAaJg2QslT5G973OQUPxM8E%3D HTTP/1.1\r\nCache-Control: max-age = 143038\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 15:00:07 GMT\r\nIf-None-Match: \"5c9649f7-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
570. "port": 80
571. },
572. {
573. "count": 1,
574. "body": "",
575. "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D",
576. "user-agent": "Microsoft-CryptoAPI/6.1",
577. "method": "GET",
578. "host": "ocsp.pki.goog",
579. "version": "1.1",
580. "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D",
581. "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEDoV9Mh%2FtNM5k9Pus79K5eQ%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
582. "port": 80
583. },
584. {
585. "count": 1,
586. "body": "",
587. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D",
588. "user-agent": "Microsoft-CryptoAPI/6.1",
589. "method": "GET",
590. "host": "ocsp.digicert.com",
591. "version": "1.1",
592. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D",
593. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D HTTP/1.1\r\nCache-Control: max-age = 89056\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 22 Mar 2019 18:30:24 GMT\r\nIf-None-Match: \"5c9529c0-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
594. "port": 80
595. },
596. {
597. "count": 1,
598. "body": "",
599. "uri": "http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl",
600. "user-agent": "Microsoft-CryptoAPI/6.1",
601. "method": "GET",
602. "host": "crl.microsoft.com",
603. "version": "1.1",
604. "path": "/pki/crl/products/MicrosoftTimeStampPCA.crl",
605. "data": "GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 16 Feb 2019 02:02:49 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
606. "port": 80
607. },
608. {
609. "count": 1,
610. "body": "",
611. "uri": "http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D",
612. "user-agent": "Microsoft-CryptoAPI/6.1",
613. "method": "GET",
614. "host": "ocsp.comodoca.com",
615. "version": "1.1",
616. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D",
617. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D HTTP/1.1\r\nCache-Control: max-age = 94804\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Mon, 11 Mar 2019 04:19:13 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.comodoca.com\r\n\r\n",
618. "port": 80
619. },
620. {
621. "count": 1,
622. "body": "",
623. "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D",
624. "user-agent": "Microsoft-CryptoAPI/6.1",
625. "method": "GET",
626. "host": "ocsp.pki.goog",
627. "version": "1.1",
628. "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D",
629. "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEEpXWRnDaZSEY67E8B6coDU%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
630. "port": 80
631. },
632. {
633. "count": 1,
634. "body": "",
635. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D",
636. "user-agent": "Microsoft-CryptoAPI/6.1",
637. "method": "GET",
638. "host": "ocsp.digicert.com",
639. "version": "1.1",
640. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D",
641. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAwVvkoVuwkDyQGx1sJlMC8%3D HTTP/1.1\r\nCache-Control: max-age = 108232\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 22 Mar 2019 23:50:01 GMT\r\nIf-None-Match: \"5c9574a9-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
642. "port": 80
643. },
644. {
645. "count": 1,
646. "body": "",
647. "uri": "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
648. "user-agent": "Microsoft-CryptoAPI/6.1",
649. "method": "GET",
650. "host": "www.download.windowsupdate.com",
651. "version": "1.1",
652. "path": "/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
653. "data": "GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Fri, 22 Feb 2019 16:53:13 GMT\r\nIf-None-Match: \"80e22c19cfcad41:0\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: www.download.windowsupdate.com\r\n\r\n",
654. "port": 80
655. },
656. {
657. "count": 1,
658. "body": "",
659. "uri": "http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl",
660. "user-agent": "Microsoft-CryptoAPI/6.1",
661. "method": "GET",
662. "host": "crl.microsoft.com",
663. "version": "1.1",
664. "path": "/pki/crl/products/MicCodSigPCA_08-31-2010.crl",
665. "data": "GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Thu, 14 Feb 2019 06:01:18 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
666. "port": 80
667. },
668. {
669. "count": 1,
670. "body": "",
671. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D",
672. "user-agent": "Microsoft-CryptoAPI/6.1",
673. "method": "GET",
674. "host": "ocsp.digicert.com",
675. "version": "1.1",
676. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D",
677. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D HTTP/1.1\r\nCache-Control: max-age = 93156\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 16 Mar 2019 04:40:45 GMT\r\nIf-None-Match: \"5c8c7e4d-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
678. "port": 80
679. },
680. {
681. "count": 1,
682. "body": "",
683. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D",
684. "user-agent": "Microsoft-CryptoAPI/6.1",
685. "method": "GET",
686. "host": "ocsp.digicert.com",
687. "version": "1.1",
688. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D",
689. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D HTTP/1.1\r\nCache-Control: max-age = 149079\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 11:10:47 GMT\r\nIf-None-Match: \"5c961437-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
690. "port": 80
691. },
692. {
693. "count": 1,
694. "body": "",
695. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D",
696. "user-agent": "Microsoft-CryptoAPI/6.1",
697. "method": "GET",
698. "host": "ocsp.digicert.com",
699. "version": "1.1",
700. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D",
701. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAiIzVJfGSRETRSlgpHeuVI%3D HTTP/1.1\r\nCache-Control: max-age = 148251\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 16 Mar 2019 18:10:24 GMT\r\nIf-None-Match: \"5c8d3c10-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
702. "port": 80
703. },
704. {
705. "count": 1,
706. "body": "",
707. "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D",
708. "user-agent": "Microsoft-CryptoAPI/6.1",
709. "method": "GET",
710. "host": "ocsp.pki.goog",
711. "version": "1.1",
712. "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D",
713. "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEH4PjD8bD0NfJXpoX0ln6s4%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
714. "port": 80
715. },
716. {
717. "count": 1,
718. "body": "",
719. "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D",
720. "user-agent": "Microsoft-CryptoAPI/6.1",
721. "method": "GET",
722. "host": "ocsp.pki.goog",
723. "version": "1.1",
724. "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D",
725. "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHQnb7Tt0tUhlRVnnq4nPN8%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
726. "port": 80
727. },
728. {
729. "count": 1,
730. "body": "",
731. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D",
732. "user-agent": "Microsoft-CryptoAPI/6.1",
733. "method": "GET",
734. "host": "ocsp.digicert.com",
735. "version": "1.1",
736. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D",
737. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D HTTP/1.1\r\nCache-Control: max-age = 126990\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 10:41:16 GMT\r\nIf-None-Match: \"5c960d4c-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
738. "port": 80
739. },
740. {
741. "count": 1,
742. "body": "",
743. "uri": "http://ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D",
744. "user-agent": "Microsoft-CryptoAPI/6.1",
745. "method": "GET",
746. "host": "ocsp.pki.goog",
747. "version": "1.1",
748. "path": "/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D",
749. "data": "GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEHAHFVlJElKyLEMbtWWDIbo%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
750. "port": 80
751. },
752. {
753. "count": 1,
754. "body": "",
755. "uri": "http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D",
756. "user-agent": "Microsoft-CryptoAPI/6.1",
757. "method": "GET",
758. "host": "ocsp.msocsp.com",
759. "version": "1.1",
760. "path": "/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D",
761. "data": "GET /MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAGyvV14%2FmEPDgh0AAAAAbK8%3D HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Sat, 23 Mar 2019 17:46:18 GMT\r\nIf-None-Match: \"dd54d75d4688b8dc62b087df4e04af258704c48b\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.msocsp.com\r\n\r\n",
762. "port": 80
763. },
764. {
765. "count": 1,
766. "body": "",
767. "uri": "http://ocsp.thawte.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D",
768. "user-agent": "Microsoft-CryptoAPI/6.1",
769. "method": "GET",
770. "host": "ocsp.thawte.com",
771. "version": "1.1",
772. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D",
773. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQwF4prw9S7mCbCEHD%2Fyl6nWPkczAQUe1tFz6%2FOy3r9MZIaarbzRutXSFACEEeXTXhzpbyrDS%2BzcBkvzl4%3D HTTP/1.1\r\nCache-Control: max-age = 320712\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Wed, 20 Mar 2019 11:42:01 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.thawte.com\r\n\r\n",
774. "port": 80
775. },
776. {
777. "count": 1,
778. "body": "",
779. "uri": "http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D",
780. "user-agent": "Microsoft-CryptoAPI/6.1",
781. "method": "GET",
782. "host": "ocsp.usertrust.com",
783. "version": "1.1",
784. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D",
785. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D HTTP/1.1\r\nCache-Control: max-age = 94765\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Mon, 11 Mar 2019 04:19:13 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.usertrust.com\r\n\r\n",
786. "port": 80
787. },
788. {
789. "count": 1,
790. "body": "",
791. "uri": "http://th.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D",
792. "user-agent": "Microsoft-CryptoAPI/6.1",
793. "method": "GET",
794. "host": "th.symcd.com",
795. "version": "1.1",
796. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D",
797. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRsif7263KedmR2MLuYKv9%2BWQCtWAQU1A1lP3q9NMb%2BR%2BdMDcC98t4Vq3ECEBT4%2FdFn%2BSQCsVcLXcSVyBU%3D HTTP/1.1\r\nCache-Control: max-age = 386377\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Thu, 21 Mar 2019 05:58:32 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: th.symcd.com\r\n\r\n",
798. "port": 80
799. },
800. {
801. "count": 1,
802. "body": "",
803. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D",
804. "user-agent": "Microsoft-CryptoAPI/6.1",
805. "method": "GET",
806. "host": "ocsp.digicert.com",
807. "version": "1.1",
808. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D",
809. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D HTTP/1.1\r\nCache-Control: max-age = 142986\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 07:40:28 GMT\r\nIf-None-Match: \"5cece5ec-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
810. "port": 80
811. },
812. {
813. "count": 1,
814. "body": "",
815. "uri": "http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D",
816. "user-agent": "Microsoft-CryptoAPI/6.1",
817. "method": "GET",
818. "host": "ocsp.digicert.com",
819. "version": "1.1",
820. "path": "/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D",
821. "data": "GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAVG%2Fhgj9%2BGUHaOfzhTEYXM%3D HTTP/1.1\r\nCache-Control: max-age = 161796\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Tue, 28 May 2019 13:00:33 GMT\r\nIf-None-Match: \"5ced30f1-1d7\"\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.digicert.com\r\n\r\n",
822. "port": 80
823. },
824. {
825. "count": 1,
826. "body": "",
827. "uri": "http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D",
828. "user-agent": "Microsoft-CryptoAPI/6.1",
829. "method": "GET",
830. "host": "ocsp.pki.goog",
831. "version": "1.1",
832. "path": "/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D",
833. "data": "GET /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D HTTP/1.1\r\nCache-Control: max-age = 86400\r\nConnection: Keep-Alive\r\nAccept: */*\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: ocsp.pki.goog\r\n\r\n",
834. "port": 80
835. },
836. {
837. "count": 1,
838. "body": "",
839. "uri": "http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl",
840. "user-agent": "Microsoft-CryptoAPI/6.1",
841. "method": "GET",
842. "host": "crl.microsoft.com",
843. "version": "1.1",
844. "path": "/pki/crl/products/microsoftrootcert.crl",
845. "data": "GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nIf-Modified-Since: Thu, 07 Mar 2019 06:00:16 GMT\r\nUser-Agent: Microsoft-CryptoAPI/6.1\r\nHost: crl.microsoft.com\r\n\r\n",
846. "port": 80
847. },
848. {
849. "count": 1,
850. "body": "",
851. "uri": "http://redirector.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe",
852. "user-agent": "Microsoft BITS/7.5",
853. "method": "HEAD",
854. "host": "redirector.gvt1.com",
855. "version": "1.1",
856. "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe",
857. "data": "HEAD /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: redirector.gvt1.com\r\n\r\n",
858. "port": 80
859. },
860. {
861. "count": 1,
862. "body": "",
863. "uri": "http://r13---sn-bvvbax-2ime.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
864. "user-agent": "Microsoft BITS/7.5",
865. "method": "HEAD",
866. "host": "r13---sn-bvvbax-2ime.gvt1.com",
867. "version": "1.1",
868. "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
869. "data": "HEAD /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r13---sn-bvvbax-2ime.gvt1.com\r\n\r\n",
870. "port": 80
871. },
872. {
873. "count": 1,
874. "body": "",
875. "uri": "http://r13---sn-bvvbax-2ime.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
876. "user-agent": "Microsoft BITS/7.5",
877. "method": "GET",
878. "host": "r13---sn-bvvbax-2ime.gvt1.com",
879. "version": "1.1",
880. "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
881. "data": "GET /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Tue, 21 May 2019 04:56:27 GMT\r\nRange: bytes=0-6242\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r13---sn-bvvbax-2ime.gvt1.com\r\n\r\n",
882. "port": 80
883. },
884. {
885. "count": 1,
886. "body": "",
887. "uri": "http://r13---sn-bvvbax-2ime.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
888. "user-agent": "Microsoft BITS/7.5",
889. "method": "GET",
890. "host": "r13---sn-bvvbax-2ime.gvt1.com",
891. "version": "1.1",
892. "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
893. "data": "GET /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Tue, 21 May 2019 04:56:27 GMT\r\nRange: bytes=6243-15029\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r13---sn-bvvbax-2ime.gvt1.com\r\n\r\n",
894. "port": 80
895. },
896. {
897. "count": 1,
898. "body": "",
899. "uri": "http://r13---sn-bvvbax-2ime.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
900. "user-agent": "Microsoft BITS/7.5",
901. "method": "GET",
902. "host": "r13---sn-bvvbax-2ime.gvt1.com",
903. "version": "1.1",
904. "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
905. "data": "GET /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Tue, 21 May 2019 04:56:27 GMT\r\nRange: bytes=15030-25284\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r13---sn-bvvbax-2ime.gvt1.com\r\n\r\n",
906. "port": 80
907. },
908. {
909. "count": 1,
910. "body": "",
911. "uri": "http://r13---sn-bvvbax-2ime.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
912. "user-agent": "Microsoft BITS/7.5",
913. "method": "GET",
914. "host": "r13---sn-bvvbax-2ime.gvt1.com",
915. "version": "1.1",
916. "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
917. "data": "GET /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Tue, 21 May 2019 04:56:27 GMT\r\nRange: bytes=25285-35138\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r13---sn-bvvbax-2ime.gvt1.com\r\n\r\n",
918. "port": 80
919. },
920. {
921. "count": 1,
922. "body": "",
923. "uri": "http://r13---sn-bvvbax-2ime.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
924. "user-agent": "Microsoft BITS/7.5",
925. "method": "GET",
926. "host": "r13---sn-bvvbax-2ime.gvt1.com",
927. "version": "1.1",
928. "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
929. "data": "GET /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Tue, 21 May 2019 04:56:27 GMT\r\nRange: bytes=35139-55711\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r13---sn-bvvbax-2ime.gvt1.com\r\n\r\n",
930. "port": 80
931. },
932. {
933. "count": 1,
934. "body": "",
935. "uri": "http://r13---sn-bvvbax-2ime.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
936. "user-agent": "Microsoft BITS/7.5",
937. "method": "GET",
938. "host": "r13---sn-bvvbax-2ime.gvt1.com",
939. "version": "1.1",
940. "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
941. "data": "GET /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Tue, 21 May 2019 04:56:27 GMT\r\nRange: bytes=55712-97828\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r13---sn-bvvbax-2ime.gvt1.com\r\n\r\n",
942. "port": 80
943. },
944. {
945. "count": 1,
946. "body": "",
947. "uri": "http://r13---sn-bvvbax-2ime.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
948. "user-agent": "Microsoft BITS/7.5",
949. "method": "GET",
950. "host": "r13---sn-bvvbax-2ime.gvt1.com",
951. "version": "1.1",
952. "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
953. "data": "GET /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Tue, 21 May 2019 04:56:27 GMT\r\nRange: bytes=97829-188725\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r13---sn-bvvbax-2ime.gvt1.com\r\n\r\n",
954. "port": 80
955. },
956. {
957. "count": 1,
958. "body": "",
959. "uri": "http://r13---sn-bvvbax-2ime.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
960. "user-agent": "Microsoft BITS/7.5",
961. "method": "GET",
962. "host": "r13---sn-bvvbax-2ime.gvt1.com",
963. "version": "1.1",
964. "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
965. "data": "GET /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Tue, 21 May 2019 04:56:27 GMT\r\nRange: bytes=188726-336648\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r13---sn-bvvbax-2ime.gvt1.com\r\n\r\n",
966. "port": 80
967. },
968. {
969. "count": 1,
970. "body": "",
971. "uri": "http://r13---sn-bvvbax-2ime.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
972. "user-agent": "Microsoft BITS/7.5",
973. "method": "GET",
974. "host": "r13---sn-bvvbax-2ime.gvt1.com",
975. "version": "1.1",
976. "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
977. "data": "GET /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Tue, 21 May 2019 04:56:27 GMT\r\nRange: bytes=336649-676744\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r13---sn-bvvbax-2ime.gvt1.com\r\n\r\n",
978. "port": 80
979. },
980. {
981. "count": 1,
982. "body": "",
983. "uri": "http://r13---sn-bvvbax-2ime.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
984. "user-agent": "Microsoft BITS/7.5",
985. "method": "GET",
986. "host": "r13---sn-bvvbax-2ime.gvt1.com",
987. "version": "1.1",
988. "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
989. "data": "GET /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Tue, 21 May 2019 04:56:27 GMT\r\nRange: bytes=676745-756012\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r13---sn-bvvbax-2ime.gvt1.com\r\n\r\n",
990. "port": 80
991. },
992. {
993. "count": 1,
994. "body": "",
995. "uri": "http://r13---sn-bvvbax-2ime.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
996. "user-agent": "Microsoft BITS/7.5",
997. "method": "GET",
998. "host": "r13---sn-bvvbax-2ime.gvt1.com",
999. "version": "1.1",
1000. "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
1001. "data": "GET /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Tue, 21 May 2019 04:56:27 GMT\r\nRange: bytes=756013-1544838\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r13---sn-bvvbax-2ime.gvt1.com\r\n\r\n",
1002. "port": 80
1003. },
1004. {
1005. "count": 1,
1006. "body": "",
1007. "uri": "http://r13---sn-bvvbax-2ime.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
1008. "user-agent": "Microsoft BITS/7.5",
1009. "method": "GET",
1010. "host": "r13---sn-bvvbax-2ime.gvt1.com",
1011. "version": "1.1",
1012. "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
1013. "data": "GET /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Tue, 21 May 2019 04:56:27 GMT\r\nRange: bytes=1544839-4481094\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r13---sn-bvvbax-2ime.gvt1.com\r\n\r\n",
1014. "port": 80
1015. },
1016. {
1017. "count": 1,
1018. "body": "",
1019. "uri": "http://r13---sn-bvvbax-2ime.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
1020. "user-agent": "Microsoft BITS/7.5",
1021. "method": "GET",
1022. "host": "r13---sn-bvvbax-2ime.gvt1.com",
1023. "version": "1.1",
1024. "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
1025. "data": "GET /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Tue, 21 May 2019 04:56:27 GMT\r\nRange: bytes=4481095-10202722\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r13---sn-bvvbax-2ime.gvt1.com\r\n\r\n",
1026. "port": 80
1027. },
1028. {
1029. "count": 1,
1030. "body": "",
1031. "uri": "http://r13---sn-bvvbax-2ime.gvt1.com/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
1032. "user-agent": "Microsoft BITS/7.5",
1033. "method": "GET",
1034. "host": "r13---sn-bvvbax-2ime.gvt1.com",
1035. "version": "1.1",
1036. "path": "/edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes",
1037. "data": "GET /edgedl/release2/chrome/ANcTHgjx95-y_74.0.3729.169/74.0.3729.169_73.0.3683.86_chrome_updater.exe?cms_redirect=yes&mip=70.162.191.80&mm=28&mn=sn-bvvbax-2ime&ms=nvh&mt=1560480688&mv=m&nh=EAI&pl=16&shardbypass=yes HTTP/1.1\r\nConnection: Keep-Alive\r\nAccept: */*\r\nAccept-Encoding: identity\r\nIf-Unmodified-Since: Tue, 21 May 2019 04:56:27 GMT\r\nRange: bytes=10202723-12296959\r\nUser-Agent: Microsoft BITS/7.5\r\nX-Old-UID: cnt=0\r\nX-Last-HR: 0x0\r\nX-Last-HTTP-Status-Code: 0\r\nX-Retry-Count: 0\r\nX-HTTP-Attempts: 1\r\nHost: r13---sn-bvvbax-2ime.gvt1.com\r\n\r\n",
1038. "port": 80
1039. }
1040. ]
1041.  
1042. [*] Network Communication - SMTP: []
1043.  
1044. [*] Network Communication - Hosts: []
1045.  
1046. [*] Network Communication - IRC: []
1047.  
1048. [*] Static Analysis: {
1049. "pe": {
1050. "peid_signatures": null,
1051. "imports": [
1052. {
1053. "imports": [
1054. {
1055. "name": "GetStartupInfoW",
1056. "address": "0x405030"
1057. },
1058. {
1059. "name": "GetSystemTimeAsFileTime",
1060. "address": "0x405034"
1061. },
1062. {
1063. "name": "GetTickCount",
1064. "address": "0x405038"
1065. },
1066. {
1067. "name": "InterlockedCompareExchange",
1068. "address": "0x40503c"
1069. },
1070. {
1071. "name": "InterlockedExchange",
1072. "address": "0x405040"
1073. },
1074. {
1075. "name": "IsDebuggerPresent",
1076. "address": "0x405044"
1077. },
1078. {
1079. "name": "LoadLibraryW",
1080. "address": "0x405048"
1081. },
1082. {
1083. "name": "LocalAlloc",
1084. "address": "0x40504c"
1085. },
1086. {
1087. "name": "LocalFree",
1088. "address": "0x405050"
1089. },
1090. {
1091. "name": "OpenEventW",
1092. "address": "0x405054"
1093. },
1094. {
1095. "name": "OutputDebugStringA",
1096. "address": "0x405058"
1097. },
1098. {
1099. "name": "OutputDebugStringW",
1100. "address": "0x40505c"
1101. },
1102. {
1103. "name": "GetProcAddress",
1104. "address": "0x405060"
1105. },
1106. {
1107. "name": "SetConsoleCtrlHandler",
1108. "address": "0x405064"
1109. },
1110. {
1111. "name": "SetErrorMode",
1112. "address": "0x405068"
1113. },
1114. {
1115. "name": "SetEvent",
1116. "address": "0x40506c"
1117. },
1118. {
1119. "name": "SetPriorityClass",
1120. "address": "0x405070"
1121. },
1122. {
1123. "name": "SetThreadPriority",
1124. "address": "0x405074"
1125. },
1126. {
1127. "name": "SetUnhandledExceptionFilter",
1128. "address": "0x405078"
1129. },
1130. {
1131. "name": "Sleep",
1132. "address": "0x40507c"
1133. },
1134. {
1135. "name": "TerminateProcess",
1136. "address": "0x405080"
1137. },
1138. {
1139. "name": "UnhandledExceptionFilter",
1140. "address": "0x405084"
1141. },
1142. {
1143. "name": "WaitForSingleObject",
1144. "address": "0x405088"
1145. },
1146. {
1147. "name": "LoadLibraryA",
1148. "address": "0x40508c"
1149. },
1150. {
1151. "name": "GetModuleHandleW",
1152. "address": "0x405090"
1153. },
1154. {
1155. "name": "GetModuleHandleA",
1156. "address": "0x405094"
1157. },
1158. {
1159. "name": "GetModuleFileNameW",
1160. "address": "0x405098"
1161. },
1162. {
1163. "name": "GetLastError",
1164. "address": "0x40509c"
1165. },
1166. {
1167. "name": "GetCurrentThreadId",
1168. "address": "0x4050a0"
1169. },
1170. {
1171. "name": "GetCurrentThread",
1172. "address": "0x4050a4"
1173. },
1174. {
1175. "name": "GetCurrentProcessId",
1176. "address": "0x4050a8"
1177. },
1178. {
1179. "name": "GetCurrentProcess",
1180. "address": "0x4050ac"
1181. },
1182. {
1183. "name": "FreeLibrary",
1184. "address": "0x4050b0"
1185. },
1186. {
1187. "name": "CreateEventW",
1188. "address": "0x4050b4"
1189. },
1190. {
1191. "name": "QueryPerformanceCounter",
1192. "address": "0x4050b8"
1193. },
1194. {
1195. "name": "CloseHandle",
1196. "address": "0x4050bc"
1197. },
1198. {
1199. "name": "RtlUnwind",
1200. "address": "0x4050c0"
1201. }
1202. ],
1203. "dll": "KERNEL32.dll"
1204. },
1205. {
1206. "imports": [
1207. {
1208. "name": "EndMenu",
1209. "address": "0x4050c8"
1210. },
1211. {
1212. "name": "GetClipboardSequenceNumber",
1213. "address": "0x4050cc"
1214. },
1215. {
1216. "name": "LoadCursorA",
1217. "address": "0x4050d0"
1218. },
1219. {
1220. "name": "EnumClipboardFormats",
1221. "address": "0x4050d4"
1222. },
1223. {
1224. "name": "GetInputState",
1225. "address": "0x4050d8"
1226. },
1227. {
1228. "name": "CreatePopupMenu",
1229. "address": "0x4050dc"
1230. },
1231. {
1232. "name": "GetCursor",
1233. "address": "0x4050e0"
1234. },
1235. {
1236. "name": "IsMenu",
1237. "address": "0x4050e4"
1238. },
1239. {
1240. "name": "GetProcessWindowStation",
1241. "address": "0x4050e8"
1242. },
1243. {
1244. "name": "DrawMenuBar",
1245. "address": "0x4050ec"
1246. },
1247. {
1248. "name": "GetListBoxInfo",
1249. "address": "0x4050f0"
1250. },
1251. {
1252. "name": "IsCharUpperA",
1253. "address": "0x4050f4"
1254. },
1255. {
1256. "name": "GetDesktopWindow",
1257. "address": "0x4050f8"
1258. },
1259. {
1260. "name": "DestroyWindow",
1261. "address": "0x4050fc"
1262. },
1263. {
1264. "name": "DestroyCursor",
1265. "address": "0x405100"
1266. },
1267. {
1268. "name": "CharToOemBuffA",
1269. "address": "0x405104"
1270. },
1271. {
1272. "name": "GetWindowContextHelpId",
1273. "address": "0x405108"
1274. }
1275. ],
1276. "dll": "USER32.dll"
1277. },
1278. {
1279. "imports": [
1280. {
1281. "name": "GetPixelFormat",
1282. "address": "0x405008"
1283. },
1284. {
1285. "name": "GetColorSpace",
1286. "address": "0x40500c"
1287. },
1288. {
1289. "name": "GetTextColor",
1290. "address": "0x405010"
1291. },
1292. {
1293. "name": "GetPolyFillMode",
1294. "address": "0x405014"
1295. },
1296. {
1297. "name": "CreateMetaFileA",
1298. "address": "0x405018"
1299. },
1300. {
1301. "name": "GetMapMode",
1302. "address": "0x40501c"
1303. },
1304. {
1305. "name": "GetDCBrushColor",
1306. "address": "0x405020"
1307. },
1308. {
1309. "name": "CancelDC",
1310. "address": "0x405024"
1311. },
1312. {
1313. "name": "GetEnhMetaFileA",
1314. "address": "0x405028"
1315. }
1316. ],
1317. "dll": "GDI32.dll"
1318. },
1319. {
1320. "imports": [
1321. {
1322. "name": "RegOpenKeyExW",
1323. "address": "0x405000"
1324. }
1325. ],
1326. "dll": "ADVAPI32.dll"
1327. }
1328. ],
1329. "digital_signers": null,
1330. "exported_dll_name": null,
1331. "actual_checksum": "0x0012d035",
1332. "overlay": {
1333. "size": "0x00000d08",
1334. "offset": "0x00128800"
1335. },
1336. "imagebase": "0x00400000",
1337. "reported_checksum": "0x00133019",
1338. "icon_hash": null,
1339. "entrypoint": "0x004039a0",
1340. "timestamp": "2019-01-31 04:02:08",
1341. "osversion": "5.0",
1342. "sections": [
1343. {
1344. "name": ".text",
1345. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
1346. "virtual_address": "0x00001000",
1347. "size_of_data": "0x00003e00",
1348. "entropy": "5.34",
1349. "raw_address": "0x00000400",
1350. "virtual_size": "0x00003d5a",
1351. "characteristics_raw": "0x60000020"
1352. },
1353. {
1354. "name": ".rdata",
1355. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1356. "virtual_address": "0x00005000",
1357. "size_of_data": "0x00001000",
1358. "entropy": "5.24",
1359. "raw_address": "0x00004200",
1360. "virtual_size": "0x00000f64",
1361. "characteristics_raw": "0x40000040"
1362. },
1363. {
1364. "name": ".data",
1365. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
1366. "virtual_address": "0x00006000",
1367. "size_of_data": "0x000fe800",
1368. "entropy": "7.30",
1369. "raw_address": "0x00005200",
1370. "virtual_size": "0x000fec20",
1371. "characteristics_raw": "0xc0000040"
1372. },
1373. {
1374. "name": ".CRT",
1375. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1376. "virtual_address": "0x00105000",
1377. "size_of_data": "0x00000200",
1378. "entropy": "0.06",
1379. "raw_address": "0x00103a00",
1380. "virtual_size": "0x00000004",
1381. "characteristics_raw": "0x40000040"
1382. },
1383. {
1384. "name": ".rsrc",
1385. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
1386. "virtual_address": "0x00106000",
1387. "size_of_data": "0x00024c00",
1388. "entropy": "7.24",
1389. "raw_address": "0x00103c00",
1390. "virtual_size": "0x00101a78",
1391. "characteristics_raw": "0x40000040"
1392. }
1393. ],
1394. "resources": [],
1395. "dirents": [
1396. {
1397. "virtual_address": "0x00000000",
1398. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
1399. "size": "0x00000000"
1400. },
1401. {
1402. "virtual_address": "0x00005924",
1403. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
1404. "size": "0x00000064"
1405. },
1406. {
1407. "virtual_address": "0x00106000",
1408. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
1409. "size": "0x00024a78"
1410. },
1411. {
1412. "virtual_address": "0x00000000",
1413. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
1414. "size": "0x00000000"
1415. },
1416. {
1417. "virtual_address": "0x00128800",
1418. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
1419. "size": "0x00000d08"
1420. },
1421. {
1422. "virtual_address": "0x00000000",
1423. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
1424. "size": "0x00000000"
1425. },
1426. {
1427. "virtual_address": "0x00000000",
1428. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
1429. "size": "0x00000000"
1430. },
1431. {
1432. "virtual_address": "0x00000000",
1433. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
1434. "size": "0x00000000"
1435. },
1436. {
1437. "virtual_address": "0x00000000",
1438. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
1439. "size": "0x00000000"
1440. },
1441. {
1442. "virtual_address": "0x00000000",
1443. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
1444. "size": "0x00000000"
1445. },
1446. {
1447. "virtual_address": "0x00000000",
1448. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
1449. "size": "0x00000000"
1450. },
1451. {
1452. "virtual_address": "0x00000000",
1453. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
1454. "size": "0x00000000"
1455. },
1456. {
1457. "virtual_address": "0x00005000",
1458. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
1459. "size": "0x00000110"
1460. },
1461. {
1462. "virtual_address": "0x00000000",
1463. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
1464. "size": "0x00000000"
1465. },
1466. {
1467. "virtual_address": "0x00000000",
1468. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
1469. "size": "0x00000000"
1470. },
1471. {
1472. "virtual_address": "0x00000000",
1473. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
1474. "size": "0x00000000"
1475. }
1476. ],
1477. "exports": [],
1478. "guest_signers": {},
1479. "imphash": "3c775e96b806128b1dc225d68ec6d59a",
1480. "icon_fuzzy": null,
1481. "icon": null,
1482. "pdbpath": null,
1483. "imported_dll_count": 4,
1484. "versioninfo": []
1485. }
1486. }
1487.  
1488. [*] Resolved APIs: [
1489. "advapi32.dll.RegQueryValueExA",
1490. "kernel32.dll.VirtualAlloc",
1491. "kernel32.dll.LoadLibraryExA",
1492. "kernel32.dll.GetProcAddress",
1493. "kernel32.dll.SetFilePointer",
1494. "kernel32.dll.lstrlenA",
1495. "kernel32.dll.lstrcatA",
1496. "kernel32.dll.VirtualProtect",
1497. "kernel32.dll.UnmapViewOfFile",
1498. "kernel32.dll.GetModuleHandleA",
1499. "kernel32.dll.WriteFile",
1500. "kernel32.dll.CloseHandle",
1501. "kernel32.dll.VirtualFree",
1502. "kernel32.dll.GetTempPathA",
1503. "kernel32.dll.CreateFileA",
1504. "kernel32.dll.LoadLibraryA",
1505. "kernel32.dll.ExitProcess",
1506. "advapi32.dll.RegCloseKey",
1507. "oleaut32.dll.#6",
1508. "shell32.dll.SHGetMalloc",
1509. "user32.dll.CharUpperA",
1510. "ws2_32.dll.#1",
1511. "kernel32.dll.Sleep",
1512. "kernel32.dll.GetSystemTimeAsFileTime",
1513. "kernel32.dll.HeapFree",
1514. "kernel32.dll.HeapAlloc",
1515. "kernel32.dll.GetProcessHeap",
1516. "kernel32.dll.OpenProcess",
1517. "kernel32.dll.CreatePipe",
1518. "kernel32.dll.CreateProcessA",
1519. "kernel32.dll.GetExitCodeProcess",
1520. "kernel32.dll.SetHandleInformation",
1521. "kernel32.dll.PeekNamedPipe",
1522. "kernel32.dll.LocalFree",
1523. "kernel32.dll.GlobalMemoryStatusEx",
1524. "kernel32.dll.CreateFileMappingA",
1525. "kernel32.dll.InitializeCriticalSection",
1526. "kernel32.dll.InterlockedDecrement",
1527. "kernel32.dll.ReadFile",
1528. "kernel32.dll.CreateFileW",
1529. "kernel32.dll.GetLastError",
1530. "kernel32.dll.TerminateProcess",
1531. "kernel32.dll.GetCurrentProcess",
1532. "kernel32.dll.UnhandledExceptionFilter",
1533. "kernel32.dll.SetUnhandledExceptionFilter",
1534. "kernel32.dll.IsDebuggerPresent",
1535. "kernel32.dll.GetCommandLineA",
1536. "kernel32.dll.GetStartupInfoA",
1537. "kernel32.dll.RaiseException",
1538. "kernel32.dll.RtlUnwind",
1539. "kernel32.dll.GetModuleHandleW",
1540. "kernel32.dll.TlsGetValue",
1541. "kernel32.dll.TlsAlloc",
1542. "kernel32.dll.TlsSetValue",
1543. "kernel32.dll.TlsFree",
1544. "kernel32.dll.InterlockedIncrement",
1545. "kernel32.dll.SetLastError",
1546. "kernel32.dll.GetCurrentThreadId",
1547. "kernel32.dll.HeapSize",
1548. "kernel32.dll.GetStdHandle",
1549. "kernel32.dll.GetModuleFileNameA",
1550. "kernel32.dll.FreeEnvironmentStringsA",
1551. "kernel32.dll.GetEnvironmentStrings",
1552. "kernel32.dll.FreeEnvironmentStringsW",
1553. "kernel32.dll.WideCharToMultiByte",
1554. "kernel32.dll.GetEnvironmentStringsW",
1555. "kernel32.dll.SetHandleCount",
1556. "kernel32.dll.GetFileType",
1557. "kernel32.dll.DeleteCriticalSection",
1558. "kernel32.dll.HeapCreate",
1559. "kernel32.dll.QueryPerformanceCounter",
1560. "kernel32.dll.GetTickCount",
1561. "kernel32.dll.GetCurrentProcessId",
1562. "kernel32.dll.SetEvent",
1563. "kernel32.dll.GetACP",
1564. "kernel32.dll.DeleteFileA",
1565. "kernel32.dll.IsValidCodePage",
1566. "kernel32.dll.EnterCriticalSection",
1567. "kernel32.dll.LeaveCriticalSection",
1568. "kernel32.dll.GetConsoleCP",
1569. "kernel32.dll.GetConsoleMode",
1570. "kernel32.dll.FlushFileBuffers",
1571. "kernel32.dll.MultiByteToWideChar",
1572. "kernel32.dll.LCMapStringA",
1573. "kernel32.dll.LCMapStringW",
1574. "kernel32.dll.HeapReAlloc",
1575. "kernel32.dll.SetConsoleCtrlHandler",
1576. "kernel32.dll.FreeLibrary",
1577. "kernel32.dll.InitializeCriticalSectionAndSpinCount",
1578. "kernel32.dll.GetLocaleInfoA",
1579. "kernel32.dll.GetStringTypeA",
1580. "kernel32.dll.GetStringTypeW",
1581. "kernel32.dll.GetTimeFormatA",
1582. "kernel32.dll.GetDateFormatA",
1583. "kernel32.dll.SetStdHandle",
1584. "kernel32.dll.WriteConsoleA",
1585. "kernel32.dll.GetConsoleOutputCP",
1586. "kernel32.dll.WriteConsoleW",
1587. "kernel32.dll.GetTimeZoneInformation",
1588. "kernel32.dll.SetEndOfFile",
1589. "kernel32.dll.CompareStringA",
1590. "kernel32.dll.CompareStringW",
1591. "kernel32.dll.SetEnvironmentVariableA",
1592. "kernel32.dll.GetSystemInfo",
1593. "kernel32.dll.OpenEventA",
1594. "kernel32.dll.ResetEvent",
1595. "kernel32.dll.ResumeThread",
1596. "kernel32.dll.SystemTimeToFileTime",
1597. "kernel32.dll.WaitForMultipleObjects",
1598. "kernel32.dll.SetWaitableTimer",
1599. "kernel32.dll.CreateWaitableTimerA",
1600. "kernel32.dll.GetVersion",
1601. "kernel32.dll.GlobalMemoryStatus",
1602. "kernel32.dll.GetVersionExA",
1603. "kernel32.dll.FlushConsoleInputBuffer",
1604. "kernel32.dll.VerSetConditionMask",
1605. "kernel32.dll.SleepEx",
1606. "kernel32.dll.VerifyVersionInfoA",
1607. "kernel32.dll.ExpandEnvironmentStringsA",
1608. "kernel32.dll.FormatMessageA",
1609. "kernel32.dll.MapViewOfFile",
1610. "kernel32.dll.GetFileSize",
1611. "kernel32.dll.CreateIoCompletionPort",
1612. "kernel32.dll.PostQueuedCompletionStatus",
1613. "kernel32.dll.ReleaseSemaphore",
1614. "kernel32.dll.CreateSemaphoreA",
1615. "kernel32.dll.GetQueuedCompletionStatus",
1616. "kernel32.dll.GetFileInformationByHandle",
1617. "kernel32.dll.MoveFileA",
1618. "kernel32.dll.LockFile",
1619. "kernel32.dll.UnlockFile",
1620. "kernel32.dll.GetModuleFileNameW",
1621. "kernel32.dll.LoadLibraryW",
1622. "kernel32.dll.CreateDirectoryA",
1623. "kernel32.dll.GetOEMCP",
1624. "kernel32.dll.WaitForSingleObject",
1625. "kernel32.dll.GetCPInfo",
1626. "kernel32.dll.CreateEventA",
1627. "kernel32.dll.GetSystemDirectoryA",
1628. "kernel32.dll.GetCurrentDirectoryA",
1629. "kernel32.dll.GetFullPathNameA",
1630. "kernel32.dll.FindFirstFileA",
1631. "kernel32.dll.GetDriveTypeA",
1632. "kernel32.dll.FileTimeToLocalFileTime",
1633. "kernel32.dll.FileTimeToSystemTime",
1634. "kernel32.dll.FindClose",
1635. "kernel32.dll.SetConsoleMode",
1636. "kernel32.dll.ReadConsoleInputA",
1637. "kernel32.dll.CreateThread",
1638. "kernel32.dll.ExitThread",
1639. "kernel32.dll.VirtualQuery",
1640. "advapi32.dll.DeregisterEventSource",
1641. "advapi32.dll.RegisterEventSourceA",
1642. "advapi32.dll.ReportEventA",
1643. "advapi32.dll.RegOpenKeyExA",
1644. "advapi32.dll.CryptAcquireContextA",
1645. "advapi32.dll.CryptGenRandom",
1646. "oleaut32.dll.#9",
1647. "oleaut32.dll.#2",
1648. "shell32.dll.SHGetSpecialFolderLocation",
1649. "shell32.dll.SHGetSpecialFolderPathA",
1650. "shell32.dll.SHGetPathFromIDListA",
1651. "user32.dll.MessageBoxA",
1652. "user32.dll.CharLowerW",
1653. "user32.dll.GetUserObjectInformationW",
1654. "user32.dll.GetDesktopWindow",
1655. "user32.dll.GetProcessWindowStation",
1656. "user32.dll.CharUpperW",
1657. "ws2_32.dll.freeaddrinfo",
1658. "ws2_32.dll.getaddrinfo",
1659. "ws2_32.dll.#17",
1660. "ws2_32.dll.#55",
1661. "ws2_32.dll.#54",
1662. "ws2_32.dll.#13",
1663. "ws2_32.dll.#8",
1664. "ws2_32.dll.#14",
1665. "ws2_32.dll.#57",
1666. "ws2_32.dll.#52",
1667. "ws2_32.dll.#10",
1668. "ws2_32.dll.#19",
1669. "ws2_32.dll.#18",
1670. "ws2_32.dll.#151",
1671. "ws2_32.dll.#5",
1672. "ws2_32.dll.WSAIoctl",
1673. "ws2_32.dll.#4",
1674. "ws2_32.dll.#111",
1675. "ws2_32.dll.#9",
1676. "ws2_32.dll.#15",
1677. "ws2_32.dll.#20",
1678. "ws2_32.dll.#22",
1679. "ws2_32.dll.#6",
1680. "ws2_32.dll.#21",
1681. "ws2_32.dll.#16",
1682. "ws2_32.dll.#2",
1683. "ws2_32.dll.#23",
1684. "ws2_32.dll.#112",
1685. "ws2_32.dll.#3",
1686. "ws2_32.dll.#7",
1687. "ws2_32.dll.#115",
1688. "ws2_32.dll.#116",
1689. "kernel32.dll.FlsAlloc",
1690. "kernel32.dll.FlsGetValue",
1691. "kernel32.dll.FlsSetValue",
1692. "kernel32.dll.FlsFree",
1693. "kernel32.dll.IsProcessorFeaturePresent",
1694. "kernel32.dll.GetComputerNameW",
1695. "kernel32.dll.GetLogicalDriveStringsW",
1696. "kernel32.dll.GetVolumeInformationW",
1697. "kernel32.dll.GetDriveTypeW",
1698. "kernel32.dll.GetSystemDirectoryW",
1699. "kernel32.dll.GetWindowsDirectoryA",
1700. "kernel32.dll.GetWindowsDirectoryW",
1701. "kernel32.dll.GetTempPathW",
1702. "kernel32.dll.FindFirstFileW",
1703. "kernel32.dll.FindNextFileW",
1704. "kernel32.dll.SetFileAttributesW",
1705. "kernel32.dll.GetFileAttributesW",
1706. "kernel32.dll.MoveFileW",
1707. "kernel32.dll.CreateDirectoryW",
1708. "kernel32.dll.DeleteFileW",
1709. "kernel32.dll.CopyFileW",
1710. "kernel32.dll.DeviceIoControl",
1711. "kernel32.dll.GetShortPathNameW",
1712. "kernel32.dll.GetVersionExW",
1713. "kernel32.dll.SetErrorMode",
1714. "kernel32.dll.CreateProcessW",
1715. "kernel32.dll.Wow64DisableWow64FsRedirection",
1716. "kernel32.dll.Wow64RevertWow64FsRedirection",
1717. "advapi32.dll.RegOpenKeyExW",
1718. "advapi32.dll.RegQueryValueExW",
1719. "advapi32.dll.RegSetValueExW",
1720. "advapi32.dll.RegCreateKeyExW",
1721. "advapi32.dll.RegDeleteValueW",
1722. "advapi32.dll.RegEnumKeyW",
1723. "advapi32.dll.RegQueryInfoKeyW",
1724. "advapi32.dll.GetUserNameW",
1725. "shell32.dll.SHGetFolderPathW",
1726. "shell32.dll.ShellExecuteW",
1727. "shell32.dll.SHGetKnownFolderPath",
1728. "ole32.dll.CoInitializeEx",
1729. "ole32.dll.CoUninitialize",
1730. "ole32.dll.CoCreateInstance",
1731. "ole32.dll.CoInitializeSecurity",
1732. "ole32.dll.CoSetProxyBlanket",
1733. "ole32.dll.CoTaskMemFree",
1734. "oleaut32.dll.VariantClear",
1735. "user32.dll.GetWindowRect",
1736. "user32.dll.GetDC",
1737. "user32.dll.DrawTextW",
1738. "user32.dll.SystemParametersInfoW",
1739. "user32.dll.GetForegroundWindow",
1740. "gdi32.dll.CreateCompatibleDC",
1741. "gdi32.dll.CreateCompatibleBitmap",
1742. "gdi32.dll.SelectObject",
1743. "gdi32.dll.DeleteObject",
1744. "gdi32.dll.DeleteDC",
1745. "gdi32.dll.CreateBrushIndirect",
1746. "gdi32.dll.SetTextColor",
1747. "gdi32.dll.SetBkColor",
1748. "gdi32.dll.GetCurrentObject",
1749. "gdi32.dll.GetObjectA",
1750. "gdi32.dll.CreateFontIndirectA",
1751. "gdi32.dll.CreateDIBSection",
1752. "gdi32.dll.BitBlt",
1753. "gdi32.dll.ExtFloodFill",
1754. "netapi32.dll.NetServerGetInfo",
1755. "netapi32.dll.NetApiBufferFree",
1756. "netapi32.dll.NetWkstaGetInfo",
1757. "kernel32.dll.SetProcessDEPPolicy",
1758. "netapi32.dll.NetStatisticsGet",
1759. "advapi32.dll.CryptAcquireContextW",
1760. "advapi32.dll.CryptReleaseContext",
1761. "cryptsp.dll.CryptAcquireContextW",
1762. "cryptsp.dll.CryptGenRandom",
1763. "cryptsp.dll.CryptReleaseContext",
1764. "user32.dll.GetCursorInfo",
1765. "user32.dll.GetQueueStatus",
1766. "kernel32.dll.CreateToolhelp32Snapshot",
1767. "kernel32.dll.Heap32First",
1768. "kernel32.dll.Heap32Next",
1769. "kernel32.dll.Heap32ListFirst",
1770. "kernel32.dll.Heap32ListNext",
1771. "kernel32.dll.Process32First",
1772. "kernel32.dll.Process32Next",
1773. "kernel32.dll.Thread32First",
1774. "kernel32.dll.Thread32Next",
1775. "kernel32.dll.Module32First",
1776. "kernel32.dll.Module32Next",
1777. "cryptsp.dll.CryptAcquireContextA",
1778. "cryptbase.dll.SystemFunction036",
1779. "uxtheme.dll.ThemeInitApiHook",
1780. "user32.dll.IsProcessDPIAware",
1781. "ole32.dll.CreateBindCtx",
1782. "ole32.dll.CoTaskMemAlloc",
1783. "ole32.dll.CoGetApartmentType",
1784. "ole32.dll.CoRegisterInitializeSpy",
1785. "comctl32.dll.#236",
1786. "ole32.dll.CoGetMalloc",
1787. "comctl32.dll.#320",
1788. "comctl32.dll.#324",
1789. "comctl32.dll.#323",
1790. "comctl32.dll.#328",
1791. "comctl32.dll.#334",
1792. "setupapi.dll.CM_Get_Device_Interface_List_Size_ExW",
1793. "setupapi.dll.CM_Get_Device_Interface_List_ExW",
1794. "advapi32.dll.InitializeSecurityDescriptor",
1795. "advapi32.dll.SetEntriesInAclW",
1796. "ntmarta.dll.GetMartaExtensionInterface",
1797. "advapi32.dll.SetSecurityDescriptorDacl",
1798. "advapi32.dll.IsTextUnicode",
1799. "comctl32.dll.#332",
1800. "comctl32.dll.#338",
1801. "comctl32.dll.#339",
1802. "comctl32.dll.#386",
1803. "shell32.dll.#102",
1804. "ole32.dll.CoRevokeInitializeSpy",
1805. "comctl32.dll.#388",
1806. "ole32.dll.NdrOleInitializeExtension",
1807. "ole32.dll.CoGetClassObject",
1808. "ole32.dll.CoGetMarshalSizeMax",
1809. "ole32.dll.CoMarshalInterface",
1810. "ole32.dll.CoUnmarshalInterface",
1811. "ole32.dll.StringFromIID",
1812. "ole32.dll.CoGetPSClsid",
1813. "ole32.dll.CoReleaseMarshalData",
1814. "ole32.dll.DcomChannelSetHResult",
1815. "oleaut32.dll.#500",
1816. "iphlpapi.dll.GetAdaptersAddresses"
1817. ]
1818.  
1819. [*] Static Analysis: {
1820. "pe": {
1821. "peid_signatures": null,
1822. "imports": [
1823. {
1824. "imports": [
1825. {
1826. "name": "GetStartupInfoW",
1827. "address": "0x405030"
1828. },
1829. {
1830. "name": "GetSystemTimeAsFileTime",
1831. "address": "0x405034"
1832. },
1833. {
1834. "name": "GetTickCount",
1835. "address": "0x405038"
1836. },
1837. {
1838. "name": "InterlockedCompareExchange",
1839. "address": "0x40503c"
1840. },
1841. {
1842. "name": "InterlockedExchange",
1843. "address": "0x405040"
1844. },
1845. {
1846. "name": "IsDebuggerPresent",
1847. "address": "0x405044"
1848. },
1849. {
1850. "name": "LoadLibraryW",
1851. "address": "0x405048"
1852. },
1853. {
1854. "name": "LocalAlloc",
1855. "address": "0x40504c"
1856. },
1857. {
1858. "name": "LocalFree",
1859. "address": "0x405050"
1860. },
1861. {
1862. "name": "OpenEventW",
1863. "address": "0x405054"
1864. },
1865. {
1866. "name": "OutputDebugStringA",
1867. "address": "0x405058"
1868. },
1869. {
1870. "name": "OutputDebugStringW",
1871. "address": "0x40505c"
1872. },
1873. {
1874. "name": "GetProcAddress",
1875. "address": "0x405060"
1876. },
1877. {
1878. "name": "SetConsoleCtrlHandler",
1879. "address": "0x405064"
1880. },
1881. {
1882. "name": "SetErrorMode",
1883. "address": "0x405068"
1884. },
1885. {
1886. "name": "SetEvent",
1887. "address": "0x40506c"
1888. },
1889. {
1890. "name": "SetPriorityClass",
1891. "address": "0x405070"
1892. },
1893. {
1894. "name": "SetThreadPriority",
1895. "address": "0x405074"
1896. },
1897. {
1898. "name": "SetUnhandledExceptionFilter",
1899. "address": "0x405078"
1900. },
1901. {
1902. "name": "Sleep",
1903. "address": "0x40507c"
1904. },
1905. {
1906. "name": "TerminateProcess",
1907. "address": "0x405080"
1908. },
1909. {
1910. "name": "UnhandledExceptionFilter",
1911. "address": "0x405084"
1912. },
1913. {
1914. "name": "WaitForSingleObject",
1915. "address": "0x405088"
1916. },
1917. {
1918. "name": "LoadLibraryA",
1919. "address": "0x40508c"
1920. },
1921. {
1922. "name": "GetModuleHandleW",
1923. "address": "0x405090"
1924. },
1925. {
1926. "name": "GetModuleHandleA",
1927. "address": "0x405094"
1928. },
1929. {
1930. "name": "GetModuleFileNameW",
1931. "address": "0x405098"
1932. },
1933. {
1934. "name": "GetLastError",
1935. "address": "0x40509c"
1936. },
1937. {
1938. "name": "GetCurrentThreadId",
1939. "address": "0x4050a0"
1940. },
1941. {
1942. "name": "GetCurrentThread",
1943. "address": "0x4050a4"
1944. },
1945. {
1946. "name": "GetCurrentProcessId",
1947. "address": "0x4050a8"
1948. },
1949. {
1950. "name": "GetCurrentProcess",
1951. "address": "0x4050ac"
1952. },
1953. {
1954. "name": "FreeLibrary",
1955. "address": "0x4050b0"
1956. },
1957. {
1958. "name": "CreateEventW",
1959. "address": "0x4050b4"
1960. },
1961. {
1962. "name": "QueryPerformanceCounter",
1963. "address": "0x4050b8"
1964. },
1965. {
1966. "name": "CloseHandle",
1967. "address": "0x4050bc"
1968. },
1969. {
1970. "name": "RtlUnwind",
1971. "address": "0x4050c0"
1972. }
1973. ],
1974. "dll": "KERNEL32.dll"
1975. },
1976. {
1977. "imports": [
1978. {
1979. "name": "EndMenu",
1980. "address": "0x4050c8"
1981. },
1982. {
1983. "name": "GetClipboardSequenceNumber",
1984. "address": "0x4050cc"
1985. },
1986. {
1987. "name": "LoadCursorA",
1988. "address": "0x4050d0"
1989. },
1990. {
1991. "name": "EnumClipboardFormats",
1992. "address": "0x4050d4"
1993. },
1994. {
1995. "name": "GetInputState",
1996. "address": "0x4050d8"
1997. },
1998. {
1999. "name": "CreatePopupMenu",
2000. "address": "0x4050dc"
2001. },
2002. {
2003. "name": "GetCursor",
2004. "address": "0x4050e0"
2005. },
2006. {
2007. "name": "IsMenu",
2008. "address": "0x4050e4"
2009. },
2010. {
2011. "name": "GetProcessWindowStation",
2012. "address": "0x4050e8"
2013. },
2014. {
2015. "name": "DrawMenuBar",
2016. "address": "0x4050ec"
2017. },
2018. {
2019. "name": "GetListBoxInfo",
2020. "address": "0x4050f0"
2021. },
2022. {
2023. "name": "IsCharUpperA",
2024. "address": "0x4050f4"
2025. },
2026. {
2027. "name": "GetDesktopWindow",
2028. "address": "0x4050f8"
2029. },
2030. {
2031. "name": "DestroyWindow",
2032. "address": "0x4050fc"
2033. },
2034. {
2035. "name": "DestroyCursor",
2036. "address": "0x405100"
2037. },
2038. {
2039. "name": "CharToOemBuffA",
2040. "address": "0x405104"
2041. },
2042. {
2043. "name": "GetWindowContextHelpId",
2044. "address": "0x405108"
2045. }
2046. ],
2047. "dll": "USER32.dll"
2048. },
2049. {
2050. "imports": [
2051. {
2052. "name": "GetPixelFormat",
2053. "address": "0x405008"
2054. },
2055. {
2056. "name": "GetColorSpace",
2057. "address": "0x40500c"
2058. },
2059. {
2060. "name": "GetTextColor",
2061. "address": "0x405010"
2062. },
2063. {
2064. "name": "GetPolyFillMode",
2065. "address": "0x405014"
2066. },
2067. {
2068. "name": "CreateMetaFileA",
2069. "address": "0x405018"
2070. },
2071. {
2072. "name": "GetMapMode",
2073. "address": "0x40501c"
2074. },
2075. {
2076. "name": "GetDCBrushColor",
2077. "address": "0x405020"
2078. },
2079. {
2080. "name": "CancelDC",
2081. "address": "0x405024"
2082. },
2083. {
2084. "name": "GetEnhMetaFileA",
2085. "address": "0x405028"
2086. }
2087. ],
2088. "dll": "GDI32.dll"
2089. },
2090. {
2091. "imports": [
2092. {
2093. "name": "RegOpenKeyExW",
2094. "address": "0x405000"
2095. }
2096. ],
2097. "dll": "ADVAPI32.dll"
2098. }
2099. ],
2100. "digital_signers": null,
2101. "exported_dll_name": null,
2102. "actual_checksum": "0x0012d035",
2103. "overlay": {
2104. "size": "0x00000d08",
2105. "offset": "0x00128800"
2106. },
2107. "imagebase": "0x00400000",
2108. "reported_checksum": "0x00133019",
2109. "icon_hash": null,
2110. "entrypoint": "0x004039a0",
2111. "timestamp": "2019-01-31 04:02:08",
2112. "osversion": "5.0",
2113. "sections": [
2114. {
2115. "name": ".text",
2116. "characteristics": "IMAGE_SCN_CNT_CODE|IMAGE_SCN_MEM_EXECUTE|IMAGE_SCN_MEM_READ",
2117. "virtual_address": "0x00001000",
2118. "size_of_data": "0x00003e00",
2119. "entropy": "5.34",
2120. "raw_address": "0x00000400",
2121. "virtual_size": "0x00003d5a",
2122. "characteristics_raw": "0x60000020"
2123. },
2124. {
2125. "name": ".rdata",
2126. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2127. "virtual_address": "0x00005000",
2128. "size_of_data": "0x00001000",
2129. "entropy": "5.24",
2130. "raw_address": "0x00004200",
2131. "virtual_size": "0x00000f64",
2132. "characteristics_raw": "0x40000040"
2133. },
2134. {
2135. "name": ".data",
2136. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ|IMAGE_SCN_MEM_WRITE",
2137. "virtual_address": "0x00006000",
2138. "size_of_data": "0x000fe800",
2139. "entropy": "7.30",
2140. "raw_address": "0x00005200",
2141. "virtual_size": "0x000fec20",
2142. "characteristics_raw": "0xc0000040"
2143. },
2144. {
2145. "name": ".CRT",
2146. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2147. "virtual_address": "0x00105000",
2148. "size_of_data": "0x00000200",
2149. "entropy": "0.06",
2150. "raw_address": "0x00103a00",
2151. "virtual_size": "0x00000004",
2152. "characteristics_raw": "0x40000040"
2153. },
2154. {
2155. "name": ".rsrc",
2156. "characteristics": "IMAGE_SCN_CNT_INITIALIZED_DATA|IMAGE_SCN_MEM_READ",
2157. "virtual_address": "0x00106000",
2158. "size_of_data": "0x00024c00",
2159. "entropy": "7.24",
2160. "raw_address": "0x00103c00",
2161. "virtual_size": "0x00101a78",
2162. "characteristics_raw": "0x40000040"
2163. }
2164. ],
2165. "resources": [],
2166. "dirents": [
2167. {
2168. "virtual_address": "0x00000000",
2169. "name": "IMAGE_DIRECTORY_ENTRY_EXPORT",
2170. "size": "0x00000000"
2171. },
2172. {
2173. "virtual_address": "0x00005924",
2174. "name": "IMAGE_DIRECTORY_ENTRY_IMPORT",
2175. "size": "0x00000064"
2176. },
2177. {
2178. "virtual_address": "0x00106000",
2179. "name": "IMAGE_DIRECTORY_ENTRY_RESOURCE",
2180. "size": "0x00024a78"
2181. },
2182. {
2183. "virtual_address": "0x00000000",
2184. "name": "IMAGE_DIRECTORY_ENTRY_EXCEPTION",
2185. "size": "0x00000000"
2186. },
2187. {
2188. "virtual_address": "0x00128800",
2189. "name": "IMAGE_DIRECTORY_ENTRY_SECURITY",
2190. "size": "0x00000d08"
2191. },
2192. {
2193. "virtual_address": "0x00000000",
2194. "name": "IMAGE_DIRECTORY_ENTRY_BASERELOC",
2195. "size": "0x00000000"
2196. },
2197. {
2198. "virtual_address": "0x00000000",
2199. "name": "IMAGE_DIRECTORY_ENTRY_DEBUG",
2200. "size": "0x00000000"
2201. },
2202. {
2203. "virtual_address": "0x00000000",
2204. "name": "IMAGE_DIRECTORY_ENTRY_COPYRIGHT",
2205. "size": "0x00000000"
2206. },
2207. {
2208. "virtual_address": "0x00000000",
2209. "name": "IMAGE_DIRECTORY_ENTRY_GLOBALPTR",
2210. "size": "0x00000000"
2211. },
2212. {
2213. "virtual_address": "0x00000000",
2214. "name": "IMAGE_DIRECTORY_ENTRY_TLS",
2215. "size": "0x00000000"
2216. },
2217. {
2218. "virtual_address": "0x00000000",
2219. "name": "IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG",
2220. "size": "0x00000000"
2221. },
2222. {
2223. "virtual_address": "0x00000000",
2224. "name": "IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT",
2225. "size": "0x00000000"
2226. },
2227. {
2228. "virtual_address": "0x00005000",
2229. "name": "IMAGE_DIRECTORY_ENTRY_IAT",
2230. "size": "0x00000110"
2231. },
2232. {
2233. "virtual_address": "0x00000000",
2234. "name": "IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT",
2235. "size": "0x00000000"
2236. },
2237. {
2238. "virtual_address": "0x00000000",
2239. "name": "IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR",
2240. "size": "0x00000000"
2241. },
2242. {
2243. "virtual_address": "0x00000000",
2244. "name": "IMAGE_DIRECTORY_ENTRY_RESERVED",
2245. "size": "0x00000000"
2246. }
2247. ],
2248. "exports": [],
2249. "guest_signers": {},
2250. "imphash": "3c775e96b806128b1dc225d68ec6d59a",
2251. "icon_fuzzy": null,
2252. "icon": null,
2253. "pdbpath": null,
2254. "imported_dll_count": 4,
2255. "versioninfo": []
2256. }
2257. }